This new vector has some pretty serious implications. From this technique, Corero has seen an average amplification factor of 46x and a peak of 55x from what they are used to. Combine this with a botnet the size of Mirai, which was used in the recent attack against Brian Krebs’ website, and Corero claims the amplification can reach unprecedented levels.
LDAP is nothing new, but it is just starting to be used as a DDoS attack method. It is one of the most widely used protocols for accessing username and password information in databases that are integrated in most online servers.
Using address spoofing, the attacker sends a query to the LDAP service, making it look like the request came from the intended victim. The service then responds to the spoofed address.
Because the LDAP server responses are much larger than the attacker’s queries and can reach very high bandwidth, the volume of traffic sent to the victim is amplified dramatically.
The company notes that service providers can thwart some DDoS attacks by implementing Internet Engineering Task Force (IETF) RFC 2827, which describes filtering techniques that are able to identify spoofed addresses before they are admitted to a network.
This RFC is nothing new, and neither is this security issue. Corero’s deeper point is that with attacks becoming automated, it is becoming easier to take advantage of protocols like LDAP.