LDAP as attack vector could power Terabit-Scale LDAP DDoS Attacks

Security experts observed attackers launching a powerful LDAP DDoS, the new amplification method could peak Terabit-Scale attacks.

LDAP DDoS attacks are the novelty in the threat landscape, the Lightweight Directory Access Protocol (LDAP) protocol could be abused to power massive DDoS attacks.

The LDAP is an open standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

The experts at the DDoS mitigation provider Corero Network Security confirmed that an LDAP DDoS attack has been already observed in a live incident. The attack leverages on a CLDAP zero-day vulnerability, a similar attack has been observed last week, and experts believe that could become another option in the arsenal of hackers in the wild.

Abusing the LDAP protocol it is possible to obtain an amplification factor of 46x, that in specific conditions could peak at 55x.

The experts from Corero explained that the attacker could send a query from a spoofed address (the victim address) to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP).

The CLDAP service, then sends the response to the spoofed address, of course, the size of the response is much larger than the original query.

“In this case, the attacker sends a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP) and using address spoofing makes it appear to originate from the intended victim. The CLDAP service responds to the spoofed address, sending unwanted network traffic to the attacker’s intended target.” reads a blog post published by Corero.

“Amplification techniques allow bad actors to intensify the size of their attacks, because the responses generated by the LDAP servers are much larger than the attacker’s queries. In this case, the LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x.”

LDAP DDoS attacks could cause serious damage, experts confirmed that they can peak at tens of terabits per second in volume of traffic.

“When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions,” said Dave Larson, CTO/COO at Corero Network Security, explains.

Pierluigi Paganini

[adrotate banner=”22″]

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase