CLDAP Reflection DDoS

The Akamai Security Intelligence Response Team (SIRT) recently identified a new Connection-less Lightweight Directory Access Protocol (CLDAP) reflection and amplification method. This advisory analyzes the capabilities of and potential defenses against this new type of reflection attack.

Authors: Jose Arteaga & Wilber Mejia

1.0 / Overview /

On October 14, 2016, the Akamai Security Operation Center (soc) began mitigating attacks for what was suspected to be Connection-less Lightweight Directory Access Protocol (cldap) reflection. This new reflection and amplification method has since been confirmed by the Akamai Security Intelligence Response Team (sirt) and has been observed producing Distributed Denial of Service (DDoS) attacks, comparable to Domain Name System (dns) reflection in that most exceed 1 Gbps.

Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place. Potential hosts are discovered using internet scans, and filtering User Datagram Protocol (udp) destination port 389, to eliminate the discovery of another potential host fueling attacks. This advisory will cover the distribution of these sources, methods of attack, and target industries observed.

2.0 / Attack Timeline /

Since October 2016, Akamai has detected and mitigated a total of 50 cldap reflection attacks. Of those 50 attack events, 33 were single vector attacks using cldap reflection exclusively. Figure 1 provides a timeline of attacks, showing attack size and detailing if the attack was single or multi-vector.

CLDAP Reflection DDoS Attack Timeline

While the gaming industry is typically the most targeted industry for attacks, observed cldap attacks have mostly been targeting the software & technology industry along with six other industries.

Number of CLDAP Reflection Attacks By Industry

2.1 / Highlighted Attack Attributes /

On January 7, 2017, the largest DDoS attack using cldap reflection as the sole vector was observed and mitigated by Akamai. Attributes of the attack were as follows:

  • Industry Vertical: Internet & Telecom
  • Peak Bandwidth: 24 Gigabits per second
  • Peak Packets per Second: 2 Million Packets per second
  • Attack Vector: CLDAP
  • Source Port: 389
  • Destination Port: Random

CLDAP Reflection Attack Signature

Signatures of this attack reveal that it is capable of impressive amplification factors. After the first few waves of attacks using cldap, Akamai sirt was able to obtain sample malicious Lightweight Directory Access Protocol (ldap) reflection queries. The query payload is only 52 bytes and is discussed further in the “attack & cldap overview” section. This means that, the Base Amplification Factor (baf) for the attack data payload of 3,662 bytes, and a query payload of 52 bytes, was 70x , although only one host was revealed to exhibit that response size. Post attack analysis showed that the average amplification during this attack was 56.89x.

This 24 Gbps attack was the largest mitigated by Akamai to date. In contrast, the smallest observed attack Akamai has seen using this vector was 300 Mbps, and the average attack bandwidth for a cldap attack has been 3 Gbps.