DDoS attacks Reflection Is On The Rise Again


Why it matters: The revival of vulnerable CLDAP servers makes DDoS attacks more powerful and dangerous. Windows network administrators should take strict security measures or disconnect the server from the Internet if there is no practical need to use the CLDAP protocol.

A specific DDoS operation known as a “reflection attack” is again widely used by cybercriminals using unprotected Microsoft servers to overload targeted websites with traffic. Black Lotus Labs notes that the culprit is Microsoft’s version of the industry standard Lightweight Directory Access Protocol (LDAP), known as CLDAP.

The LDAP protocol is used to access and maintain distributed directory information services (such as a central system for storing usernames and passwords) over an IP network. The CLDAP implementation is similar, but limited to the Active Directory database system used in Windows Server family operating systems. Generally speaking, CLDAP services are enabled by default in many OS versions, but they are usually harmless to servers that are not connected to the public Internet.

However, when the CLDAP machine is connected to the network, the UDP-based service is vulnerable to DDoS attacks. This attack vector spoofs the target’s IP address and sends a UDP request to one or more third parties. These servers then respond to the fake address, which is reflected back, creating a feedback loop. This kind of DDoS amplifies traffic tens, hundreds and thousands of times and hides the attacker’s IP address.

Reflection attacks using CLDAP servers are nothing new. Over the past 12 months, the number of CLDAP abuses has increased by more than 60% from more than 12,000 instances of “zombie” servers. Black Lotus Labs stated that some “CLDAP reflectors” have been online for a long time, while others appear and disappear quickly.

The most problematic CLDAP reflectors are those that hackers have used for years in numerous powerful DDoS attacks. Black Lotus profiled some of these serial criminals, for example, a server belonging to an unnamed religious organization that generated (between July and September 2022) traffic spikes of up to 17 Gbps.

Another CLDAP reflector, located in North America, was able to provide peak traffic speeds of more than 2 Gbps for 18 months. The third vulnerable service, which hackers used more than a year ago, belongs to a North American telecom operator. Another in North Africa, owned by a regional retail business, was responsible for nine months of furious DDoS attacks delivering up to 7.8 Gbps of traffic.

Black Lotus suggests that if the CLDAP server absolutely needs to stay online, network administrators should make an “effort” to protect it by disabling UDP support, limiting traffic generated on port 389, using firewalls, or implementing some additional measures to prevent IP address forgery. traffic such as reverse path forwarding (RPF).


Please enter your comment!
Please enter your name here