Updated on 2022-10-28: Misconfigured CLDAP Services are Being Used to Magnify DDoS Attacks
According to researchers from Black Lotus Labs, misconfigured Connectionless Lightweight Directory Access Protocol (CLDAP) services on Microsoft domain controllers are being used to amplify distributed denial-of-service attacks. Known as reflection attacks, the technique has been in used for at least five years.
Note
- You should be highly aware of what your domain controllers are talking to. At a minimum, don’t expose CLDAP (389/UDP) to the Internet. Limit access to LDAP services on your domain controllers to authorized systems, and implement measures to block spoofed IP traffic, such as RPF.
- And yet again: why is this even exposed to the internet? I hope with “managing your attack surface” becoming more of a vendor buzz word, organizations may finally figure out how to configure a basic firewall.
Read more in
- CLDAP Reflectors On The Rise Despite Best Practice
- Meet the Windows servers that have been fueling massive DDoSes for months
Overview: Increased CLDAP exposure
Lumen’s Black Lotus Lab warned this week that they’ve observed that the number of CLDAP servers exposed on the internet has increased by 60% to more than 12K distinct IPs over the last 12 months. More worrisome is that some CLDAP servers have been seen being abused in DDoS attacks, with one single instance reflecting and amplifying traffic for the attackers of up to 17 Gbps. Read more: CLDAP Reflectors On The Rise Despite Best Practice
We’ve seen one CLDAP reflector emit 17 Gbps 👀 Are they all this strong? If so, just 10% of them could generate a full 1+ Tbps attack
— Black Lotus Labs (@BlackLotusLabs) October 25, 2022
