DDoS attacks could soon be ramped up to unthinkable levels

New amplification technique means we could be looking at assaults of 35Tbps

Lately, we’ve been hearing about some huge DDoS attacks, but apparently these could be regarded as relative small fry thanks to a freshly discovered amplification technique which is ripe to be fully exploited.

This new hatful of DDoS hell comes in the form of a zero-day attack vector that leverages the Lightweight Directory Access Protocol (or LDAP, the directory service protocol used in most servers) to effectively amplify a distributed denial of service attack.

This technique was spotted being used last week in an attack on one of Corero Network Security’s clients, but the worry is that it might be employed in conjunction with a massive botnet-powered volley of DDoS to make for a blast of staggering proportions.

In fact, according to Corero, this method could amplify attacks by a factor of as much as 55. So if we look at the recent attack against the website of security researcher Brian Krebs which hit 620Gbps by using the Mirai botnet, that could potentially be amplified into something like 35Tbps of traffic.

Or indeed take the recent attack on OVH.com, the French hosting company, which hit 799Gbps and could be amplified to more like 45Tbps, in theory. Admittedly that’s using peak amplification figures and an absolute worst-case scenario, but the average amplification factor is around 46 times, not too far away from the maximum potential factor of 55. 

And if you combine a botnet of compromised IoT devices with this sort of supercharging, the victim is in for not just a world of pain, but an entire galaxy of the stuff.

 DNS dangers

There’s also the worrying prospect of this sort of level of attack being aimed at major DNS providers such as Dyn, which was bombarded late last week, an assault that resulted in the downing of multiple major websites including Twitter, Spotify, Netflix and Reddit.

Dave Larson, CTO/COO at Corero, commented: “LDAP is not the first, and will not be the last, protocol or service to be exploited in this fashion. Novel amplification attacks like this occur because there are so many open services on the Internet that will respond to spoofed record queries. However, a lot of these attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before these requests are admitted to the network.”

He continued: “Specifically, following the best common practice, BCP 38, described in the Internet Engineering Task Force (IETF) RFC 2827, which describes router configurations that are designed to eliminate spoofed IP address usage by employing meaningful ingress filtering techniques, would reduce the overall problem of reflected DDoS by at least an order of magnitude.”