Network Security Firm Corero Warns Of Impending 'Tens Of Terabits Per Second' DDoS Attacks
Corero, a network security company, warned that we might see DDoS attacks soon that could reach tens of Terabits per second of inbound bandwidth. The attacks, which would be much larger than even the record-breaking DDoS attacks we’ve seen recently, would result from a combination of IoT botnets and an amplification attack utilizing the Lightweight Directory Access Protocol (LDAP).
Large DDoS Attacks About To Get Much Larger
A month ago, Brian Krebs' (a security journalist) blog experienced a record-breaking 655 Gigabits per second DDoS attack. Not long after, multiple botnets hit OVH, a French web-hosting provider, with a Tbps DDoS attack. On Friday, Dyn, the DNS service provider for many of the major U.S. technology and news companies’ websites, saw an even bigger 1.2 Terabits per second DDoS attack.
The attacks, which are fueled by the rapid growth of non-secure IoT devices and the open source Mirai botnet software, are getting increasingly larger and web companies seem to have problems dealing with them already.
However, according to Corero, the attackers may have just scratched the surface on what’s possible with DDoS attacks. The firm said that it has recently discovered a “zero-day” attack vector that can amplify regular DDoS attacks by as much as 55x. This could mean that 50+ terabit per second DDoS attacks may be within reach in the not too distant future for sophisticated malicious actors or rival states looking to disrupt each other’s Internet infrastructures.
Dave Larson, CTO/COO at Corero Network Security, explained: “This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison. When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit-scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions.”
How The LDAP Amplification Attack Works
LDAP is a widely used protocol for accessing username and password information in directories such as Microsoft’s Active Directory, which is found on all Windows-based servers. Corero said it has only seen a few short attacks testing this technique against some of its customers so far.
The attacker launches the attack by sending Connectionless LDAP (CLADP) service simple queries, which then generate much larger responses (in terms of bandwidth) from the CLDAP servers. Corero saw an average amplification between 46x-55x for the data sent back compared to the original query sent by the attacker.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
When the attackers send the initial query, they spoof their own addresses to match that of the target. The CLDAP servers’ large responses go to the target, thus causing a DDoS attack against the target.
The network security firm said that utilizing LDAP services is not the only way to create amplification attacks because the Internet has many open services that would respond to spoofed record queries. However, service providers could mitigate these attacks if they would configure their routers to automatically filter spoofed addresses using the BCP 38 practice, described in the IETF RFC 2827 standard.
“Today’s DDoS attacks are increasingly automated, meaning that attackers can switch vectors faster than any human can respond,” said Corero. "The only effective defense against this type of DDoS attack vector requires automated mitigation techniques. Relying on out-of-band scrubbing DDoS protection to stop these attacks will cause significant collateral damage. Given the short duration and high volume attacks, legacy solutions simply cannot identify and properly mitigate in time to protect network availability,” warned the company.
Recent DDoS Attacks Could Lead To Better Protection
Due to a significant industry interest in making every type of product around us “smart” (which is what the “Internet of Things” is all about), the number of devices that attackers could exploit is going to explode over the next few years. This, by default, gives attackers bigger opportunities to create large and effective botnets made out of millions of IoT devices.
Things look even worse when we consider that the average level of security for the average IoT device is much lower than that of highly-sandboxed smartphone operating systems, or even modern-day desktop computers, which at least receive updates regularly and for a long time.
Usually, when some security catastrophe happens, companies react to improve their products and services' security significantly. Perhaps with the increasing occurrence of massive DDoS attacks, IoT companies, as well as Internet services companies, will work to improve the security of their products and the resilience of their services against DDoS attacks.
Zero-day Windows NTLM hash vulnerability gets patched by third-party — credentials can be hijacked by merely viewing a malicious file in File Explorer
US govt says Cisco gear often targeted in China's Salt Typhoon attacks on 8 telecommunications providers — issues Cisco-specific advice to patch networks to fend off attacks
-
Communism Aka, the network equipment manufacturing cartels' price fixing of network infrastructure is screwing us all over massively.Reply
But sure, blame the player, never blame the game :P
Game blamers are unpatriotic terrorists :P -
bit_user LDAP is a widely used protocol for accessing username and password information in directories such as Microsoft’s Active Directory, which is found on all Windows-based servers. Corero said it has only seen a few short attacks testing this technique against some of its customers so far.
Is it common to have LDAP servers accessible on the public internet? For this to work, attackers would have to amass a list of 50 Tbps worth of accessible LDAP servers. I wonder if the reality might be that the IoT botnet would have more aggregate bandwidth than the LDAP servers, making this exploit largely moot.
The attacker launches the attack by sending Connectionless LDAP (CLADP) service simple queries, which then generate much larger responses (in terms of bandwidth) from the CLDAP servers. Corero saw an average amplification between 46x-55x for the data sent back compared to the original query sent by the attacker.
When the attackers send the initial query, they spoof their own addresses to match that of the target. The CLDAP servers’ large responses go to the target, thus causing a DDoS attack against the target.
Perhaps that's why they revealed it. -
blazorthon 18779565 said:Is it common to have LDAP servers accessible on the public internet? For this to work, attackers would have to amass a list of 50 Tbps worth of accessible LDAP servers. I wonder if the reality might be that the IoT botnet would have more aggregate bandwidth than the LDAP servers, making this exploit largely moot.
Perhaps that's why they revealed it.
One of their major uses is internet directory and I'd imagine it isn't difficult to hit huge numbers with such servers because they need high bandwidth for their functions.
Securing them decently isn't difficult and the lack of security is a farce. It's literally as simple as following the standards! -
jabliese I thought the record breaking DDOS attacks already were using some form of amplification, if not LDAP, throwing off your math?Reply -
Christopher1 Easy answer to this bullshit: Null-route the ENTIRE ISP that is having these attacks being done from the computers of their customers until they contact whichever customer is doing the attacks and tell them that bad stuff is being done with their computers.Reply
Yes it is a harsh line to take but it is the proper line to take in my opinion as a person knowledgeable in network infrastructure and computer security. -
bit_user
Pretty much, but it's harder to do with write amplification because the address of the bot gets obscured.18809872 said:Easy answer to this bullshit: Null-route the ENTIRE ISP that is having these attacks being done from the computers of their customers until they contact whichever customer is doing the attacks and tell them that bad stuff is being done with their computers.
But I agree that ISPs need to filter this crap close to the source. And backbone providers should block ISPs that fail to cooperate.
Of course, this sort of network censorship can also be abused to block valid traffic... That's the bigger concern, IMO.