How CLDAP Reflectors Enable DDoS Attacks and Ways to Reduce Your Exposure
CLDAP, or Connectionless Lightweight Directory Access Protocol, is just one of many protocols used for UDP Boosted Reflection attacks. However, it continues to grow as a preferred tool for distributed denial of service threat actors. Let’s explore why reflection attacks are gaining momentum and how to defend against them.
Organizations can protect themselves from any reflection attack if the proper steps are taken to prepare for prevention and response. Yet we must also address the root cause: misconfiguration of the system by the unwary.
What is a UDP Boosted Reflection Attack?
To define a UDP amplified reflection attack, let’s break it down into its components, starting with UDP.
UDP, or User Data Protocol, is part of the TCP/IP suite. Running on OSI Layer 4, it creates network datagrams by dividing data received from higher layers into segments and encapsulating them with source port number, destination port number, size and a sum control. But unlike TCP, UDP is connectionless. It sends datagrams and then forgets them. It doesn’t matter if the datagrams arrive at their destination.
Connectionless communication is faster than connection-based TCP which provides data delivery. However, it also provides the opportunity for a low-cost approach to launching denial of service attacks, which usually cannot be done with TCP due to the handshake required.
LDAP generally uses TCP, but there are rare cases where it uses UDP. When using UDP, it is known as CLDAP. In either case, the protocol is used to query directory services, such as Active Directory, which return information about users and services, including credentials, manager name, email address, email and other data stored by the company.
Domain controllers should never be directly exposed to the internet, but when they are, they add to the millions of other devices that contribute to UDP reflection attacks.
Reflection is possible when organizations expose any UDP protocol to the Internet, as shown in Figure 1.
Figure 1: Simple reflection
After finding an exposed UDP service, such as CLDAP,
- the threat actor sends a request to the exposed service; the request contains the victim’s server IP address as the source address
- The abused service responds by sending one or more packets to the victim’s web server, the web server at the spoofed source IP address contained in the initial request
- The victim’s server receives the response and eventually deletes it, but not before exhausting precious server resources
This simple thought will not cause the victim much trouble. Also, tracking the attacker using traffic from his computer to the reflector would be easy. Let’s escalate the attack while masking the threat actor’s location.
In Figure 2, the threat actor has contracted with a bot service provider to launch a distributed reflection attack. The bot service provider causes a portion of its bot resources to send service requests to the CLDAP service exposed on identified misconfigured devices. There are thousands of known devices that the bot service provider can use.
Figure 2: DDoS attack by amplified reflection
This enables a distributed denial of service attack that does not reveal the identity of the threat actor who wishes to disrupt the target’s services. But there is also another added element: amplification.
Some services may return a much larger response than the initial request. CLDAP, for example, can provide up to what is called a 70X amplification factor. In other words, a standard 52-byte request can cause reflectors to send a response of up to 3640 bytes (70 x 52). This amplification allows rapid overshoot of the target with fewer requests.
CLDAP, available on port 389, has one of the biggest amplification factors, which is why it has become so popular. Table 1 shows other standard services hackers can use for reflection attacks and their amplification factors.
Table 1: Main amplification factors
Why CLDAP is Commonly Exposed
In addition to having a significant amplification factor, the CLDAP is often exposed to the Internet without the knowledge of its administrators.
According to David Allen, editor at onmsft.com, threat actors have used CLDAP since around 2007 for reflection attacks. The number of open CLDAP instances and associated DDoS attacks has increased, likely due to an almost 60% increase in the number of exposed CLDAP locations over the past year. Black Lotus Labs largely blames Microsoft.
Black Lotus affirms CLDAP has never been fully implemented in most services, but Microsoft automatically enables a partial CLDAP implementation when a domain controller is initialized. The protocol uses a single command, LDAP ping. Microsoft writes that it uses this command only to identify “…if the services are live on a domain controller….”
Many, if not most, organizations lack dedicated internal security teams. They may also lack security-conscious network personnel who ensure that unwanted exposure to the Internet is blocked, such as blocking Internet access to port 389. This causes domain controllers to be exposed to the Internet, which which is never a good idea for the domain owner. This is an impending security disaster and creates opportunities for reflection attacks.
Exposure of CLDAP, NTP, and other reflective protocols results from misconfigured networks and connected systems, a situation that potentially victimized organizations cannot do much about, a situation that is only getting worse and requires a solid defense.
Defend against reflection attacks
Defenses that help defend against reflection attacks can have undesirable effects on a network. Therefore, some or all of the protections listed below may not come into effect until an incident response is initiated, a response that involves the engagement of a cloud service capable of rapidly implementing what is necessary to ensure the continued provision of customer services.
Another option is to always run all Internet access through a service provider that monitors and responds quickly to any type of DDoS attack and offers some level of permanent filtering. Additionally, cloud service providers like Azure and Alibaba provide both DDoS detection and response capabilities.
Donald Shin, writing for A10, provides a set of protections to defend against reflection attacks.
Rate limiting. There are two types of rate limiting. The most common form is source limitation. Source rate limiting uses source IP addresses to track the elapsed time between each incoming request. If a source sends too many packets based on an expected and defined rate, it will be told to slow down. This limits the number of reflection requests a victim system must handle.
Regular expression filter. A Regex filter filters packets for a defined pattern. If the pattern matches, the package can be deleted.
Additional warranties include,
Traffic cleaning: Incoming traffic is sent to a processing center and cleaned of unwanted traffic. This is related to regular expression filtering and rate limiting, both of which can be part of traffic cleaning. Permanent traffic scrubbing is often not an option, as it can severely degrade performance.
Server redundancy: Having more than one server to provide customer services and business operations support is always a good plan for denial of service attacks and unexpected increases in service requirements. Using a cloud service with automatic resource expansion when needed can help during the first few minutes of a reflection attack, the critical minutes between the onset of the attack and an adequate response.
UDP boosted reflection attacks, such as those using CLDAP, are made possible by misconfigured networks that expose UDP services to the internet. Educating business owners and their IT teams is a good start to help eliminate opportunities for reflection.
Large organizations should include the search for protocols unnecessarily exposed to the Internet as part of their own risk assessments. Teams should ensure that any port open to the Internet is part of an explicitly defined IP address/port number pair required for business operation.
All organizations should assume that there will always be UDP protocols exposed and prepare accordingly. Additionally, they should begin configuring detection capabilities to monitor emerging TCP reflection attacks.
Until recently, TCP reflection was impractical due to gaps in threat actors’ control over the process caused by the TCP handshake. However, threat actors have found a way around this challenge by using middleboxes, inline devices used for network management tasks outside of routing or switching.
Finally, we must assume that threat actors will always find a way to flood our resources, which will require organizations to plan for DDoS attacks, including documenting and practicing rapid responses. Practice activities must incorporate necessary third-party denial-of-service mitigation service providers.
Image source: Shutterstock
LEARN MORE ABOUT DDOS ATTACKS