Skip to Content

Increased CLDAP exposure used to magnify DDoS attacks

Updated on 2022-10-28: Misconfigured CLDAP Services are Being Used to Magnify DDoS Attacks

According to researchers from Black Lotus Labs, misconfigured Connectionless Lightweight Directory Access Protocol (CLDAP) services on Microsoft domain controllers are being used to amplify distributed denial-of-service attacks. Known as reflection attacks, the technique has been in used for at least five years.


  • You should be highly aware of what your domain controllers are talking to. At a minimum, don’t expose CLDAP (389/UDP) to the Internet. Limit access to LDAP services on your domain controllers to authorized systems, and implement measures to block spoofed IP traffic, such as RPF.
  • And yet again: why is this even exposed to the internet? I hope with “managing your attack surface” becoming more of a vendor buzz word, organizations may finally figure out how to configure a basic firewall.


Overview: Increased CLDAP exposure

Lumen’s Black Lotus Lab warned this week that they’ve observed that the number of CLDAP servers exposed on the internet has increased by 60% to more than 12K distinct IPs over the last 12 months. More worrisome is that some CLDAP servers have been seen being abused in DDoS attacks, with one single instance reflecting and amplifying traffic for the attackers of up to 17 Gbps. Read more: CLDAP Reflectors On The Rise Despite Best Practice

    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on