Lightweight directory access protocol (LDAP) functions as a kind of internal search solution, helping companies find everything from contact information to encryption certificates and network services. As noted by SC Magazine, however, it’s also a serious threat vector.
Security firm Corero recently observed an LDAP attack that enabled cybercriminals to significantly amplify malicious distributed denial-of-service (DDoS) traffic and easily take down websites. Even worse, experts warned that, combined with an Internet of Things (IoT)-based effort, these attacks could reach “unprecedented bandwidth levels.” Here’s the lowdown on LDAP.
Ports in a Storm
Many companies are at risk of an LDAP attack but don’t realize it. Firewalls are often configured to leave port 389 open, allowing connectionless LDAP-based data communication. An attacker can query these protocol servers using a spoofed IP address, which sends a massive response to the intended target.
Corero observed three attacks with an average amplification of 46 times, reaching 55 times at peak. This yields a bandwidth range of 22 to 28 Gbps, much more than any network can reasonably handle.
This isn’t the first time LDAP issues have emerged. As noted by The Register, a flaw discovered in Cisco Prime made it possible for attackers to bypass authentication requirements and gain full admin access.
And, as Dark Reading pointed out, LDAP is only the most recent protocol to be exploited. According to Dave Larson of Corero, “novel amplification attacks like this occur because there are so many open services on the internet that will respond to spoofed queries.”
In addition to the more reasonable throughput of LDAP attacks, Corero also observed one that reached 70 Gpbs — a rate impossible to achieve with a single LDAP server. Experts suspect the effort required at least a small botnet to make high-volume queries of multiple LDAP servers and send them all to the same target.
The bigger worry here is that, combined with IoT-based threats, lightweight directory attacks could set new benchmarks for DDoS power. In fact, the framework already exists.
The BBC reported that home webcams and other connected consumer devices were recently leveraged to take down huge websites like Twitter, Reddit and Spotify. Add LDAP amplification into the mix, and DDoS attacks could reach traffic volumes substantial enough to wipe out web services almost instantaneously.
Preventing an LDAP Attack
The solution to this problem comes in two parts: First, companies need to check their firewall settings and make sure port 389 is never left open. If attackers can’t connect to LDAP servers, they can’t spoof or amplify traffic.
The other part of this puzzle relies on device manufacturers changing the way they do business — no more hardcoded passwords and no ability to leave default passwords in place once devices are activated. Businesses must also stop leaving passwords unchanged for months or allowing IoT devices unfettered network access.
LDAP attacks won’t be the last protocol-based DDoS to threaten corporate networks, but they do offer a worrisome glimpse of the future threat landscape. In the absence of private ports and secure IoT, DDoS is king.