What ISPs Need To Know About CLDAP DDoS Attack Vectors
In October of 2016, around the time of the Internet shattering DDoS attack against DNS provider, DYN, Corero disclosed a significant zero-day DDoS attack vector. The newly discovered attack utilized an amplification technique, which takes advantage of the Connectionless Lightweight Directory Access Protocol (CLDAP): LDAP is one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in many online servers. When an Active Directory server is incorrectly configured and exposes the CLDAP service to the Internet it is vulnerable to be leveraged to perform DDoS attacks.
While Corero’s team of DDoS mitigation experts had only observed a handful of short but extremely powerful LDAP attacks against their protected customers utilizing this vector at the time, the Corero Security Operations team has identified significant exploitation of the CLDAP attack vector in attack attempts against its customers since it was first disclosed in October 2016.
These powerful short duration attacks are capable of impacting service availability, resulting in outages, or acting as a smoke screen for other types of cyber-attacks, including those intended for breach of personally identifiable data.
It is critical that Internet service providers, as well as the digital enterprise take proactive measures to eliminate the effects of DDoS attacks, including those taking advantage of vulnerable CLDAP servers.
Effective mitigation solutions for these attacks must take effect instantly and automatically. Waiting minutes, tens of minutes or longer, typical of the time-to-mitigation for cloud DDoS services, on-demand scrubbing operations or human analysts is too little too late.