Connect with us

Hi, what are you looking for?


Network Security

LDAP Attack Vector Makes Terabit-Scale DDoS Attacks Possible

A new zero-day distributed denial of service (DDoS) attack vector could open the flood gates for terabit-scale DDoS events, researchers at Corero Network Security warn.

A new zero-day distributed denial of service (DDoS) attack vector could open the flood gates for terabit-scale DDoS events, researchers at Corero Network Security warn.

The new zero-day attack vector has been already observed in a live incident and relies on the Lightweight Directory Access Protocol (LDAP) protocol, which is used for accessing username and password information in databases like Active Directory. By leveraging amplification, cybercriminals can inflict significant damage to their targets, the security researchers say.

According to Corero, the technique could be used to leverage an amplification factor of 46x, but which could peak at 55x. The security company also explains that an attacker could send a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP). The use of address spoofing would result in the query appearing to originate from the intended victim.

Because the CLDAP service would respond to the spoofed address, unwanted network traffic would be immediately sent to the attacker’s intended target. What’s more, the use of amplification techniques would allow actors to intensify the size of attacks, because the LDAP servers generate responses much larger than the attacker’s queries.

“In this case, the LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x,” the security company says. The CLDAP zero-day vulnerability has been observed leveraged in short but powerful attacks last week, and is expected to influence the landscape in a way that recent large-scale incidents would seem small.

The use of this technique in live attacks could result in incidents that peak at tens of terabits per second in size, the security researchers say. Such attacks would be possible if this zero-day DDoS attack vector is combined with the power of Internet of Things botnets such as Mirai, which was recently used in a 655 Gbps attack against Brian Krebs’s website.

With the Mirai source code released online and hundreds of thousands of Internet of Things (IoT) devices found vulnerable to it, the number of attacks leveraging the botnet has increased and the DDoS landscape could become even more volatile in the foreseeable future, researchers say. In fact, Mirai has been already used in an attack against DNS provider Dyn.

Advertisement. Scroll to continue reading.

“When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions,” Dave Larson, CTO/COO at Corero Network Security, explains.

Because today’s DDoS attacks are increasingly automated, attackers can switch vectors faster than any human can respond, Larson also said. Thus, automated mitigation techniques are required to effectively protect networks against this type of DDoS attack vector. The short duration and high volume attacks will make it impossible for legacy solutions to identify and properly mitigate such incidents, he added.

Related: What’s the Fix for IoT DDoS Attacks?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...