LDAP Amplification Attack
When you notice that a network is sending hundreds of gigabytes of data to foreign countries, it immediately raises a flag. This was the view we had in the dashboard of a Cisco Meraki security appliance earlier this week, and it demonstrates both the importance of properly protecting a network, the power of simple reporting dashboards for even simple customer networks, and the value of regular penetration testing. I share it because it is a great example of a specific type of attack.
The attack was not directly against this unsuspecting network; rather, it was being used (along with others) to perform a DDoS attack against other targets. The network administrator had not properly restricted inbound UDP port 389 traffic, commonly used for LDAP queries, to specific sources. Since any address was permitted to initiate the LDAP query, the attacker could script a small LDAP search request and receive a large response.
searchRequest(7) "<ROOT>" baseObject
By spoofing the source address of the query, the attacker was directing large LDAP responses at other targets, creating a DDoS attack. Notice that inbound traffic is destined for UDP port 389; the response traffic is sent to UDP port 80.
As you can see from the picture below, this generated an amplification factor of 40x: the attacker sent 2.46 GB of LDAP requests, and was able to direct 97.10 GB of LDAP responses against the target. That is the result of the size of the LDAP query response.
Putting aside concerns about compromising the firm's Active Directory (which are serious enough), this amplification attack is yet another reason that network administrators and IT professionals must think carefully before allowing traffic from all remote IP addresses. Port scans happen continuously, and the bad guys WILL find and exploit a weakness like this quickly.
One note about a feature that many next-generation firewalls include, Layer 7 Firewall Rules. We sometimes create a triage rule to drop all traffic that is not within our geographic realm (US and Canada) during incident response. Here is one of the rules we often add.
Preventing attacks like the LDAP Amplification Attack described here is the job of every IT professional. At Infranet Technologies Group, we implement business-grade network and security solutions to protect your critical business assets.
Really helpful article, thank you!! I have a question, if you have some time to reply I would be grateful. Is this information on the screenshot from wireshark enough evidence to tell if its a LDAP attack? or I need to investigate further? Thanks for sharing and for your time.
Great write-up, Garth! Thanks for sharing.