- Lumen’s research arm, Black Lotus Labs has released research about the CLDAP reflectors that are being used in DDoS attacks.
- According to the research, there are many misconfigured Microsoft servers that are being abused by hackers to be used as CLDAP reflectors.
- One of the samples they noticed during research has been delivering more than 10 Gbps of junk traffic alone between July and September this year.
Networking and application technology company Lumen‘s research arm, Black Lotus Labs, has published new research regarding CLDAP (Connectionless Lightweight Directory Access Protocol) reflectors that are being used in DDoS attacks. According to the research, currently, there are more than 12,000 misconfigured Microsoft servers that allow CLDAP reflections. Those misconfigured Microsoft servers are being used for amplifying DDoS attacks.
Peaking up to 17 Gbps junk traffic
The poorly configured servers belong to many different organizations, including religious ones. One specific sample, a religious organization in North America, has been abused by DDoS attackers for 18 months; between July and August 2022, it peaked at up to 2 Gbps. Another religious organization peaked up to 17 Gbps between July and September as well, with an average throughput of 10 Gbps. Researchers state that that kind of volume of junk traffic is strong enough to DoS some of the poorly-managed servers alone.
According to Black Lotus Labs, the CLDAP reflectors have a bandwidth amplification factor (BAF) of 56 to 70x, and they can reliably add traffic volume to DDoS attacks. While the company wants to encourage the community to report CLDAP reflectors, they also advise network administrators consider not exposing CLDAP service (389/UDP) to the open internet. However, if it is really necessary, you should apply one of the following depending on your system:
- On versions of MS Server supporting LDAP ping on the TCP LDAP service, turn off the UDP service and access LDAP ping via TCP.
- If the MS Server version doesn’t support LDAP ping on TCP, rate limit the traffic generated by the 389/UDP service to prevent use in DDoS.
- If the MS Server version doesn’t support LDAP ping on TCP, firewall access to the port so that only your legitimate clients can reach the service.
For network defenders, Black Lotus Labs advises implementing some measures to prevent spoofed IP traffic, such as Reverse Path Forwarding (RPF), either loose or, if feasible, strict.