Reflection attacks: Don’t be part of the problem

Richi Jennings
Blog Author

Richi Jennings, Independent industry analyst, editor, and content strategist. Read More...


Once again, Microsoft is under fire for shipping a service that can easily be misused for DDoS attacks. CLDAP — basically LDAP over UDP — can be weaponized to generate huge spikes of bandwidth.

Once again, Redmond shows devs what not to do. If your app or service is exposed to the internet, how does it behave when fed forged packets? Can it be misused by hackers to reflect and amplify traffic to an innocent third party?

Learning from other devs’ mistakes is the only possible silver lining in this cloudy nightmare. In this week’s Secure Software Blogwatch, we take a long, hard look in the mirror.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Inktober.

We see you

What’s the craic? Alfonso Maruccia reports — “Reflection DDoS attacks are on the rise again”:

Powerful DDoS attacks
A resurgence in vulnerable CLDAP servers is making DDoS attacks more powerful and dangerous. … In the last 12 months, there has been a more than 60% increase in CLDAP abuse with over 12,000 instances of "zombified" servers

A "reflection attack" is again finding widespread use by cyber-criminals, abusing unprotected Microsoft servers to overload targeted websites with traffic. … This attack vector spoofs the target's IP address and sends a UDP request to one or more third parties. Those servers then respond to the spoofed address, which reflects back, creating a feedback loop.

[It] amplifies the traffic tens, hundreds, or thousands of times and conceals the attacker's IP. … The most troublesome CLDAP reflectors are the ones hackers have used for years in multiple powerful DDoS attacks.

And Dan Goodin checks in — “Meet the Windows servers … fueling massive DDoSes”:

Record-breaking DDoSes
A small retail business in North Africa, a North American telecommunications provider, and two separate religious organizations: What do they have in common? They’re all running poorly configured Microsoft servers that for months or years have been spraying the Internet with gigabytes per second of junk data.

Recently published research … identified more than 12,000 servers—all running Microsoft domain controllers hosting the company’s Active Directory services—that were regularly used to magnify the size of distributed-denial-of-service attacks, or DDoSes. … A Microsoft derivation of the industry-standard Lightweight Directory Access Protocol, CLDAP uses User Datagram Protocol packets.

Some of the better-known reflectors are misconfigured servers running services such as open DNS resolvers, the network time protocol, Memcached for database caching, and the WS-Discovery protocol found in Internet of Things devices. Also known as amplification attacks, these reflection techniques allow record-breaking DDoSes to be delivered by the tiniest of botnets.

Who did the research? Chad Davis — “CLDAP Reflectors On The Rise”:

17 Gbps
Despite the industry’s firm understanding of the mechanics of UDP reflection … we continue to find plenty of vulnerable services out there, ready and waiting to generate a voluminous stream of junk traffic. … With a high Bandwidth Amplification Factor (BAF) of 56 to 70x and common deployment onto systems provisioned with healthy bandwidth, CLDAP reflectors reliably add traffic volume to the DDoS recipe.

As a case study, let’s consider a CLDAP service hosted on an IP address … affiliated with a religious organization. … The specific targets change, but the reflector dutifully directs several Gbps of traffic when called to do so. … We have [seen] it throwing gigabits per second of traffic at an array of targets [peaking at] 17 Gbps. … Marshalling even 10% of existing CLDAP reflectors in an attack could generate traffic in the Terabits per second range.

A BAF of 70x? That’s nothing. u/Beef_Studpile is an incident responder:

I always chuckle when I hear about ddos reflection attacks and think back to [the Mitel MiVoice vuln] where every packet results in 4.3 billion packets in response.

Other researchers agree the problem’s getting worse. Benjamin Yip offers this “DDoS Statistical Report”:

UDP based attacks in the first half of 2022 increased by 77.53% compared to the second half of 2021. … Amplification attacks increased by 106.65% in the same period.

What can developers learn from Microsoft’s mistakes? chilinux summarizes the problem:

Microsoft may not ultimately be responsible for their customers but they have not really been part of the solution either. … Even as of Windows Server 2022 it seems … if you enable LDAP from Microsoft on Windows, then you always also end up with LDAP over UDP enabled as well. To be extra "helpful," enabling the LDAP role also usually adds rules to the Windows Firewall to allow all CLDAP packets from any IP address.

If enough customers shoot themselves in the foot with a gun, at some point someone might ask why that specific manufacturer … has no safety switch when the rest of the industry has one. Or if enough people get killed in car accidents in cars that … have no bumper, seat belts or airbags then someday the question might be why those cars ship like that?

It’s not as if Microsoft wasn’t warned. Here’s bill_mcgonigle:

Oh lord, they didn't even learn from NTP amplification attacks. Shocked, I say, shocked. Unfortunately, not liable, so why should they care?

Especially as it’s still the default behavior. Jim Salter waxes excoriating:

Given Microsoft's position in the market … they share some culpability for building services this useful for DDoS amplification without also building in mollyguards to detect when they’re made internet-accessible, and strenuously warn their idiot owners.

Meanwhile, pointing at the parlor’s pachyderm jiggawatts asks the obvious question:

Wait. … There are thousands of Windows Domain Controllers just "on" the Internet‽ What are these people thinking?

And Finally:



Previously in And finally

You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Anais Gómez-C (cc:by-sa; leveled and cropped)