DDoS (Distributed Denial-of-Service) attacks come from many computers distributed across the internet, sometimes hundreds or thousands of systems at once. The attacking machines are part of a botnet controlled by hackers who use the machines as an army to target a website or system. With the Internet of Things (IoT) becoming more prevalent, we could soon see attacks reaching previously unimaginable scale.
DDoS attacks have become more powerful over time, with hackers varying their techniques to amplify their effects and make them more difficult to mitigate or thwart. Every year it seems, a new mega-DDoS attack shows up that dwarfs those that preceded it.
Corero Network Security, a leading provider of First Line of Defense® security solutions against DDoS attacks, has disclosed a significant new zero-day DDoS attack vector observed for the first time against its customers last month. The new technique is an amplification attack, which utilizes the Lightweight Directory Access Protocol (LDAP): one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in most online servers.
While Corero's team of DDoS mitigation experts has so far only observed a handful of short but extremely powerful attacks against their protected customers originating from this vector; the technique has potential to inflict significant damage by leveraging an amplification factor seen at a peak of as much as 55x.
Therefore, in terms of its potential scale, if combined with the Internet of Things botnet that was utilized in the recent 655 Gigabyte attack against Brian Krebs' cybersecurity website, we could soon see new records broken in the DDoS attack landscape, with potential to reach tens of Terabits per second in size in the not too distant future.
The DDoS landscape has been extremely volatile in recent weeks, particularly with the release of the Mirai code and subsequent Mirai infected Internet of Things (IoT) devices, and this trend is expected to continue for the foreseeable future.
Dave Larson, CTO/COO at Corero Network Security, explains: "This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison. When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet -- at least degrading it in certain regions."
How Does an Amplification Attack Work?
In this case, the attacker sends a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP) and using address spoofing makes it appear to originate from the intended victim. The CLDAP service responds to the spoofed address, sending unwanted network traffic to the attacker's intended target.
Amplification techniques allow bad actors to intensify the size of their attacks, because the responses generated by the LDAP servers are much larger than the attacker's queries. In this case, the LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x.
Fighting Back Against the Hackers
In truth, DDoS attacks alone are an annoyance to web users and can cost a company lost business during the time they deny access to customers, but they're fairly easy to defend against. When used in conjunction with a data breach or some other nefarious activity they can certainly assist in the success of that breach, but they hardly qualify as catastrophic or a worst-case scenario under anyone's definition of the term.
Reducing the number of internet-connected digital devices that can be abused is an achievable goal, one to which many members of society can contribute. Here are the top four actions recommended by US CERT in the wake of the latest attacks:
The CLDAP zero-day attacks targeted at Corero customers were automatically mitigated by the Corero Smartwall® Threat Defense System with patented Smart Rule functionality. No human intervention was necessary in mitigating this previously unknown DDoS attack vector and no outages were caused as a result of these attacks in the Corero customer base.
The 10/21 IoT DDoS attacks have shown just how vulnerable the internet, which is now an integral part of the critical infrastructure of the US and many other countries, is to disruptive abuse conducted at scale, by persons whose identity is not immediately ascertainable. Until this vulnerability is addressed, it will cast a serious shadow over the future of connected technology, a future in which much hope and massive resources have already been invested.
Want more information? Click below.