DDoS Attack on AWS Sets a New Size Record


Amazon recently reported that in February of this year its Web Services (AWS) Shield protection service thwarted the world’s largest DDoS attack, by volume, which registered a whopping 2.3 Tbps (the previous record was 1.7 Tbps). The cybercriminals used CLDAP (Connection-less Lightweight Directory Access Protocol) as an attack vector. LDAP is one of the most widely used protocols for authenticating username and password information in databases like Active Directory, which is integrated in many online servers.

Corero researchers were amongst the first to discover the CLDAP vector during an attempted amplification attack on one of our managed service customers in October 2016, and we predicted that it would lead to record-setting attacks that are Terabits per second in size. At the time, it was a zero-day attack on a Corero customer, which means it had never been used before, in the wild. However, with no previous knowledge of LDAP being used over UDP, as an attack vector, our SmartWall Defense solution automatically mitigated that zero-day attack, with no outages reported, and no human intervention being required. This was a result of SmartWall’s innovative, patented, heuristic-based “Smart-Rule” mechanism for blocking attacks based on their behavior rather than by the use of static signatures. The Smart-Rule mechanism was further validated a couple of days later, when one of our customers with 100Gbps of protection was targeted by a 70 Gbps CLDAP attack, which was also automatically mitigated.

When new attack vectors appear, it is critical to carry out forensic-level analysis to determine whether the entire attack was blocked and ensure no collateral damage occurred. Once new attacks are fully understood they can be defended against using surgically accurate exact match filters. These custom exact match rules leverage closed-loop policy, allowing for rapid filter creation and deployment, thereby enabling the ability to respond dynamically to the evolving nature of today’s sophisticated DDoS attacks.

As we noted back then, the CLDAP vector has the power to effect DDoS attacks that are Terabits in scale. Since its discovery, our researchers have observed a total of 53,456 CLDAP DDoS attacks, most of which targeted hosting and Internet service providers. Once cybercriminals realized its power to launch massive DDoS attacks, it has become a common weapon in the arsenal of DDoS-for-hire services.

Here’s how the CLDAP vector is used for a DDoS attack…

An attacker sends a simple query to a vulnerable reflector supporting the LDAP service over UDP, hence the term connectionless, (CLDAP) and, using address spoofing, makes it appear to originate from the intended victim. The LDAP service responds to the spoofed address, sending unwanted network traffic to the attacker’s intended target. Amplification techniques allow bad actors to intensify the size of their attacks, because the responses generated by the LDAP servers are much larger than the attacker’s queries. The LDAP service responses are capable of reaching very high bandwidth; we have seen an average amplification factor of 46x and a peak of 55x.

With many of today’s DDoS attack techniques, it is just not possible for legacy mitigation solutions to accurately and rapidly discern good (legitimate) traffic from bad (DDoS) traffic, especially as we increasingly see several vectors combined in the same attack. A modern automatic DDoS solution surgically blocks the bad traffic, in real time, and allows good traffic to pass through uninterrupted, on a packet by packet basis, using granular detection mechanisms with accurate filters that automatically remove just the DDoS packets.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.