A US security firm has discovered a new zero-day Distributed Denial of Service (DDoS) attack vector that has the potential to make botnets like Mirai as much as 55 times more powerful than they already are.
Massachusetts-based DDoS mitigation provider Corero Network Security has discovered a new amplification attack that makes use of the Lightweight Directory Access Protocol (LDAP) – a commonly-used protocol for accessing usernames and passwords from databases that is integrated in most web servers.
Corero observed that the vector was used in a "handful of short but extremely powerful attacks" against its customers over the last week, and while the attacks didn't get very far, the firm noticed that the vector had an amplification factor that could make existing botnets 55 times more lethal.
To make the attack work, all a hacker has to do is send a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP) and make it look like the query originates from the victim the hacker wants to target.
The CLDAP service responds to the hacker's spoofed address and starts sending large amounts of unwanted network traffic to the victim, and hackers can capitalise on this because the CLDAP service sends responses that are capable of reaching extremely high bandwidths.
"Novel amplification attacks like this occur because there are so many open services on the internet that will respond to spoofed record queries. However, a lot of these attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before these requests are admitted to the network," said Corero's chief operating officer Dave Larson.
"Specifically, following the best common practice, BCP 38, described in the Internet Engineering Task Force (IETF) RFC 2827, which describes router configurations that are designed to eliminate spoofed IP address usage by employing meaningful ingress filtering techniques, would reduce the overall problem of reflected DDoS by at least an order of magnitude."
Mirai could be upgraded to a 36 Terabyte DDoS attack
For example, there's the Mirai botnet, which is made up of hacked Internet of Things (IoT)-enabled cameras and other devices. It was used to DDoS the internet by attacking internet infrastructure firm Dyn at an unprecedented scale on Friday 21 October, causing multiple popular websites to go offline in the US and Europe.
Mirai first made waves in September by hitting security journalist Brian Krebs' website with a record-breaking 665 Gbps DDoS attack that knocked the website offline for three days, as well as French web host OVH. After the attack, in early October the hacker behind it decided to make the botnet's source code public, which means any hacker is free to exploit the code.
Corero calculates that if the attack technique it spotted were to be applied to the Mirai botnet, it would then be able to perform a truly enormous DDoS attack that would be at least 36Tbps in size.
"Today's DDoS attacks are increasingly automated, meaning that attackers can switch vectors faster than any human can respond. The only effective defence against this type of DDoS attack vector requires automated mitigation techniques. This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison," Larson stressed.
"When combined with other methods, particularly Internet of Things botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet – at least degrading it in certain regions."