Yes, CLDAP Reflection Attacks are increasingly used in DOS attacks! Everyone was warned! We have lots of data which illustrated how CLDAP is being used for reflection DOS attacks. Now we have the news from Netlab 360 that CLDAP is now the #3 protocol used for DOS reflection attacks – CLDAP is Now the No.3 Reflection Amplified DDoS Attack Vector, Surpassing SSDP and CharGen. The attack vector is growing surpassing SSDP and CharGEN for the #3 spot. This means people who are exploiting CLDAP are finding success and using the complacency in the industry to their criminal benefit. 

(Credit – Netlab 360)

Why is CLDAP Reflection Attacks Increasing? 

The increase is directly related to success. If the criminal behind the Reflection DOS is able to meet their DOS objective with CLDAP, then repeating with the next attack is logical. Finding more CLDAP resources for the attack is just a matter of scanning. So the bottom line is that we’re getting these attack for three reasons:

1. Enterprises are not filtering the CLDAP (udp port 389) on all traffic to (ingress) and from (egress) on their network.
2. Service Providers (ISPs and Carriers) are not putting the CLDAP port in the Exploitable Port Filtering (some don’t have any).
3. Cloud Operator are allowing customers to create new instances with CLDAP open to the world, making each new instance a CLDAP DOS reflector with the power of the “cloud.”

What can you do?

If you are an Enterprise, check your packet filtering rules to make sure CLDAP ports are filters on the ingress/egress (coming into and out of your network). Then call your Internet providers. Ask them what they put in their Exploitable Port Filters. If they do not have this type of basic security, seek out an Internet provider who cares about the security of their customers.

If you are a Service Provider (Carrier/ISP), update your Exploitable Port Filter. Monitor those rule to track the baseline and if there are any new spike of activity.

If you do not have Exploitable port filters, please reconsider your role on the Internet. This type of filtering has a long track record of success. It protects your customers. It protects your network. It protects your Internet.

Reference articles for CLDAP Reflection Attacks

The following are good reference articles. After reading through them, you should see the point of the recommendation to port filter the CLDAP (udp port 389) on all traffic to (ingress) and from (egress) on your network.

• Corero Warns of Powerful New DDoS Attack Vector with Potential for Terabit-Scale DDoS Events
• Akamai Threat Advisory – CLDAP Reflection DDoS Risk Factor: Medium
• CLDAP Protocol Allows DDoS Attacks with 70x Amplification Factor
• IXIA – Following the Crumbs-Deconstructing the CLDAP DDoS Reflection Attack
• CLDAP is Now the No.3 Reflection Amplified DDoS Attack Vector, Surpassing SSDP and CharGen

 

Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.