Sergey Nivens - Fotolia

How can a DDoS reflection attack abuse CLDAP?

A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against this new threat.

Akamai researchers discovered the Connectionless Lightweight Directory Access Protocol being increasingly used in reflection attacks, a method which enables DDoS campaigns to be carried out more efficiently. What are the benefits of using CLDAP, and how can the attacks be mitigated?

Researchers at content delivery network giant Akamai Technologies Inc. recently identified an emerging distributed denial-of-service (DDoS) reflection attack that exploits CLDAP, the connectionless version of the Lightweight Directory Access Protocol (LDAP).

CLDAP uses the connectionless User Datagram Protocol (UDP) transport layer protocol rather than the connection-oriented Transmission Control Protocol that LDAP uses. Both protocols are used to assign IP addresses to new hosts connecting to a network, and attackers can use compromised servers to generate a massive number of CLDAP requests to overwhelm a target.

The new CLDAP DDoS reflection attack has an amplification factor of up to 70x, making it one of the most effective UDP protocols for abuse.

Defending against DDoS reflection attacks often requires a multipronged effort, and it can take many different parties across the internet to effectively manage the threat from such attacks. DDoS attacks often involve externalities that can be a challenge for enterprises to manage, and cooperation between all the involved parties may be necessary to mitigate these attacks.

Enterprises can implement DDoS mitigation tools and services to protect against DDoS reflection attacks, but that's not all they should do to prevent them. They should also ensure none of their systems are exploited for use in DDoS attacks. Manufacturers also need to take steps to ensure that the devices they offer have minimal security controls.

Implementing minimal security controls means disabling any functionality that is not necessary for internet-exposed systems. Servers for domain name systems (DNS), Network Time Protocol (NTP) or other internet protocols should be disabled if they are unrelated to the system's core function; doing so can prevent the device from being used in a DDoS reflection attack.

Enterprises can also protect systems that provide frequently abused services, like DNS or NTP, to client systems by firewalling them from the internet. Internet-facing services can also be protected by implementing rate limiting or another outbound protection method, such as those described in the Internet Engineering Task Force's Best Current Practice No. 38 document, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing."

Mitigation of this reflection attack begins with understanding the CLDAP protocol, as well as answering the question of why an enterprise would have a CLDAP or LDAP server, which is used to assign IP addresses to hosts on a local network, accessible directly from the internet. The most effective mitigation may be to block access to LDAP servers from the internet.

Next Steps

Find out how to avoid getting spoofed by DDoS attacks

Learn how to prevent internet hijacking

Read what differentiates a reflected denial-of-service attack

Dig Deeper on Network security