Skip to main content

Network Security Firm Corero Warns Of Impending 'Tens Of Terabits Per Second' DDoS Attacks

Corero, a network security company, warned that we might see DDoS attacks soon that could reach tens of Terabits per second of inbound bandwidth. The attacks, which would be much larger than even the record-breaking DDoS attacks we’ve seen recently, would result from a combination of IoT botnets and an amplification attack utilizing the Lightweight Directory Access Protocol (LDAP).

Large DDoS Attacks About To Get Much Larger

A month ago, Brian Krebs' (a security journalist) blog experienced a record-breaking 655 Gigabits per second DDoS attack. Not long after, multiple botnets hit OVH, a French web-hosting provider, with a Tbps DDoS attack. On Friday, Dyn, the DNS service provider for many of the major U.S. technology and news companies’ websites, saw an even bigger 1.2 Terabits per second DDoS attack.

The attacks, which are fueled by the rapid growth of non-secure IoT devices and the open source Mirai botnet software, are getting increasingly larger and web companies seem to have problems dealing with them already.

However, according to Corero, the attackers may have just scratched the surface on what’s possible with DDoS attacks. The firm said that it has recently discovered a “zero-day” attack vector that can amplify regular DDoS attacks by as much as 55x. This could mean that 50+ terabit per second DDoS attacks may be within reach in the not too distant future for sophisticated malicious actors or rival states looking to disrupt each other’s Internet infrastructures.

Dave Larson, CTO/COO at Corero Network Security, explained: “This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison. When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit-scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions.”

How The LDAP Amplification Attack Works

LDAP is a widely used protocol for accessing username and password information in directories such as Microsoft’s Active Directory, which is found on all Windows-based servers. Corero said it has only seen a few short attacks testing this technique against some of its customers so far.

The attacker launches the attack by sending Connectionless LDAP (CLADP) service simple queries, which then generate much larger responses (in terms of bandwidth) from the CLDAP servers. Corero saw an average amplification between 46x-55x for the data sent back compared to the original query sent by the attacker.  

When the attackers send the initial query, they spoof their own addresses to match that of the target. The CLDAP servers’ large responses go to the target, thus causing a DDoS attack against the target.

The network security firm said that utilizing LDAP services is not the only way to create amplification attacks because the Internet has many open services that would respond to spoofed record queries. However, service providers could mitigate these attacks if they would configure their routers to automatically filter spoofed addresses using the BCP 38 practice, described in the IETF RFC 2827 standard.

“Today’s DDoS attacks are increasingly automated, meaning that attackers can switch vectors faster than any human can respond,” said Corero. "The only effective defense against this type of DDoS attack vector requires automated mitigation techniques. Relying on out-of-band scrubbing DDoS protection to stop these attacks will cause significant collateral damage. Given the short duration and high volume attacks, legacy solutions simply cannot identify and properly mitigate in time to protect network availability,” warned the company.

Recent DDoS Attacks Could Lead To Better Protection

Due to a significant industry interest in making every type of product around us “smart” (which is what the “Internet of Things” is all about), the number of devices that attackers could exploit is going to explode over the next few years. This, by default, gives attackers bigger opportunities to create large and effective botnets made out of millions of IoT devices.

Things look even worse when we consider that the average level of security for the average IoT device is much lower than that of highly-sandboxed smartphone operating systems, or even modern-day desktop computers, which at least receive updates regularly and for a long time.

Usually, when some security catastrophe happens, companies react to improve their products and services' security significantly. Perhaps with the increasing occurrence of massive DDoS attacks, IoT companies, as well as Internet services companies, will work to improve the security of their products and the resilience of their services against DDoS attacks.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.