CLDAP Used in DDoS Attacks

DDoS attacks using the CLDAP (Connectionless Lightweight Directory Access Protocol) protocol have been reported and could result in serious damage from a new reflection attack.

Threat ID:: CC-1333
Category:: DOS
Threat Severity:: Low
Threat Vector:
Published:: 19 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

DDoS attacks using the CLDAP (Connectionless Lightweight Directory Access Protocol) protocol have been reported and could result in serious damage from a new reflection attack.

Threat details

The new attack vector was first seen in October 2016 and since then there have been at least 50 reports of reflection attacks identified with the majority targeting the software and technology industry.

The largest reported attack so far had a peak bandwidth of 24Gbps (gigabits per second) which is considerably lower than other types of DDoS attacks seen last year such as the use of the Mirai botnet to launch attacks which reached 1Tbps (terabits per second). Although this attack vector seems less powerful in terms of bandwidth, it is noted that the traffic amplification factor can allow an attacker with relatively low bandwidth to carry out an attack with a much higher bandwidth.

Attackers using this new attack method will scan networks for open ports and in this particular case, they are looking for port 389 (LDAP). If this port is open on a firewall then it should be considered a vulnerability at risk of becoming a target of a CLDAP reflection attack.

Remediation advice

An organisation can help to protect themselves in the event of a DDoS incident by considering the following recommendations:

Remediation steps

Type	Step
	Review all open ports and ensure that those that are open are only those that are necessary, ensuring that port 389 in particular is closed. The use of a third party DDoS mitigation tool. Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose. Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.

Type

Step

Review all open ports and ensure that those that are open are only those that are necessary, ensuring that port 389 in particular is closed.
The use of a third party DDoS mitigation tool.
Review current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose.
Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.

Last edited: 17 February 2020 11:29 am