Light Dark
October 27, 2016 By Douglas Bonderud 2 min read

Lightweight directory access protocol (LDAP) functions as a kind of internal search solution, helping companies find everything from contact information to encryption certificates and network services. As noted by SC Magazine, however, it’s also a serious threat vector.

Security firm Corero recently observed an LDAP attack that enabled cybercriminals to significantly amplify malicious distributed denial-of-service (DDoS) traffic and easily take down websites. Even worse, experts warned that, combined with an Internet of Things (IoT)-based effort, these attacks could reach “unprecedented bandwidth levels.” Here’s the lowdown on LDAP.

Ports in a Storm

Many companies are at risk of an LDAP attack but don’t realize it. Firewalls are often configured to leave port 389 open, allowing connectionless LDAP-based data communication. An attacker can query these protocol servers using a spoofed IP address, which sends a massive response to the intended target.

Corero observed three attacks with an average amplification of 46 times, reaching 55 times at peak. This yields a bandwidth range of 22 to 28 Gbps, much more than any network can reasonably handle.

This isn’t the first time LDAP issues have emerged. As noted by The Register, a flaw discovered in Cisco Prime made it possible for attackers to bypass authentication requirements and gain full admin access.

And, as Dark Reading pointed out, LDAP is only the most recent protocol to be exploited. According to Dave Larson of Corero, “novel amplification attacks like this occur because there are so many open services on the internet that will respond to spoofed queries.”

Bot Brigade

In addition to the more reasonable throughput of LDAP attacks, Corero also observed one that reached 70 Gpbs — a rate impossible to achieve with a single LDAP server. Experts suspect the effort required at least a small botnet to make high-volume queries of multiple LDAP servers and send them all to the same target.

The bigger worry here is that, combined with IoT-based threats, lightweight directory attacks could set new benchmarks for DDoS power. In fact, the framework already exists.

The BBC reported that home webcams and other connected consumer devices were recently leveraged to take down huge websites like Twitter, Reddit and Spotify. Add LDAP amplification into the mix, and DDoS attacks could reach traffic volumes substantial enough to wipe out web services almost instantaneously.

Preventing an LDAP Attack

The solution to this problem comes in two parts: First, companies need to check their firewall settings and make sure port 389 is never left open. If attackers can’t connect to LDAP servers, they can’t spoof or amplify traffic.

The other part of this puzzle relies on device manufacturers changing the way they do business — no more hardcoded passwords and no ability to leave default passwords in place once devices are activated. Businesses must also stop leaving passwords unchanged for months or allowing IoT devices unfettered network access.

LDAP attacks won’t be the last protocol-based DDoS to threaten corporate networks, but they do offer a worrisome glimpse of the future threat landscape. In the absence of private ports and secure IoT, DDoS is king.

 | 
Douglas Bonderud
Freelance Writer

More from

April 25, 2024

NIST’s role in the global tech race against AI

4 min read - Last year, the United States Secretary of Commerce announced that the National Institute of Standards and Technology (NIST) has been put in charge of launching a new public working group on artificial intelligence (AI) that will build on the success of the NIST AI Risk Management Framework to address this rapidly advancing technology.However, recent budget cuts at NIST, along with a lack of strategy implementation, have called into question the agency’s ability to lead this critical effort. Ultimately, the success…

April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 23, 2024

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature