Each DDoS attack seem to be larger than the last, and recent advisories from Akamai and Ixia indicate that attackers are stepping up their game. As attackers expand their arsenal of reflection methods to target CLDAP (Connection-less Lightweight Directory Access Protocol) and BIND, expect to see even larger attacks this year.
Reflection attacks abuse legitimate protocols, such as NTP, DNS, and SNMP, to produce significantly large amounts of attack bandwidth. Attackers send a request to a third-party server using a spoofed IP address, and the server sends back a response (which is typically much larger in size). Since the IP address is spoofed, the response doesn’t go to the original requester, but to the unsuspecting victim. Instead of building large botnets of millions of compromised hosts to launch a large attack, attackers can use a smaller number of systems to target exposed third-party servers.
CLDAP on the rise
CLDAP, a variant of LDAP that uses UDP (User Datagram Protocol) for transport, is the latest technology being abused by DDoS attackers, according to an advisory by . The amplifies responses 50 times the size of the initial request on average, and it can be used to consistently produce attack traffic exceeding 1Gbps. Akamai said it has detected and mitigated 50 CLDAP reflection attacks since October, of which 33 were single-vector attacks using CLDAP reflection exclusively.
According to Akamai’s statistics, more than 60 percent of DDoS attacks in the first half of 2016 were multivector attacks, so the fact that attackers are consistently hitting large traffic bandwidth without having to combine with other attack methods is a bad sign. Single-vector CLDAP reflection attacks are bad enough, but multivector operations where the attackers combine CLDAP reflection with other methods, such as DNS amplification and direct TCP floods, could be catastrophic for organizations that can’t absorb large DDoS attacks. While the average CLDAP reflection attack is about 3Gbps, the largest attack to date was a single-vector 24Gbps attack launched in January against a telecommunications company, Akamai said.
that could be abused to allow reflection attacks through root DNAME query responses. Oana Murarasu, a security software engineer with Ixia’s Application and Threat Intelligence research team, found that the attack generated responses 10 or more times larger than the initial query. “For every 1 megabit of traffic sent [to the resolver], 10 megabits is sent to the victim,” Murarasu said.
DNAME responses are used to append or change the target domain of a query, so a domain owner can specify a new target, such as replacing example.com with example.net if the query is looking for foobar.example.com, creating a new CNAME record of foobar.example.net, Murarasu said. While this lets administrators easily manage multiple domains to redirect clients to the same resource, using loops and pointers creates issues. A specially crafted DNAME Resource Record could cause the recursive server to build a response size exceeding 1,000 bytes.
Abusing the vulnerability could generate a “DDoS wildfire,” Ixia’s Murarasu said. It’s also easy for attackers to find BIND servers that can be abused because all they have to do is set up a malicious nameserver to send a response and scan the internet for nameservers that respond with a large query.
“Always make sure you are not running a recursive name server on the public internet. You will be abused,” Ixia warned. If the server has to be on the internet, Ixia recommends searching for the pattern 00 00 27 00 001 in the answer section of a DNS response. Administrators should also be using access control lists to ensure only permitted hosts case use the recursive server.
The Internet Systems Consortium (ISC), which manages BIND, told Ixia that the vulnerability was a “protocol design flaw and not a flaw in BIND.” Separately, ISC updated BIND to patch three other denial-of-service vulnerabilities that could be exploited remotely; the new versions are BIND 9.9.-P8, 9.10.4-P8, and 9.11.0-P5. The most serious flaw, with a “high” severity rating, mainly affects recursive resolvers (). The “medium” severity issue () affects servers configured to use DNS64 with the “break-dnssec yes;” option enabled. The final flaw () can be exploited remotely from hosts that are allowed access to the control channel.
Expect more reflection attacks
DDoS attacks typically target the gaming industry since players rely on connectivity and performance to access their games, but Akamai observed that CLDAP attacks primarily targeted the software and technology industry. Attackers are increasingly using DDoS attacks against other targets, and IT teams have to consider DDoS attacks as part of their capacity planning. The middle of a DDoS attack is not the time to figure out how to beat one.