SlideShare ist ein Scribd-Unternehmen logo

Cldap threat-advisory

Andrey Apuhtin
Andrey Apuhtin

Cldap threat-advisory

Software
1 von 8
Downloaden Sie, um offline zu lesen
THREAT ADVISORY CLDAP Reflection DDoS Risk Factor: Medium TLP: Green Authors: Jose Arteaga & Wilber Mejia
Threat Advisory: CLDAP Reflection DDoS 2 Issue Date: 4.3.17 1.0 / Overview / On October 14, 2016, the Akamai Security Operation Center (soc) began mitigating attacks for what was suspected to be Connection-less Lightweight Directory Access Protocol (cldap) reflection. This new reflection and amplification method has since been confirmed by the Akamai Security Intelligence Response Team (sirt) and has been observed producing Distributed Denial of Service (DDoS) attacks, comparable to Domain Name System (dns) reflection in that most exceed 1 Gbps. Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place. Potential hosts are discovered using internet scans, and filtering User Datagram Protocol (udp) destination port 389, to eliminate the discovery of another potential host fueling attacks. This advisory will cover the distribution of these sources, methods of attack, and target industries observed. 2.0 / Attack Timeline / Since October 2016, Akamai has detected and mitigated a total of 50 cldap reflection attacks. Of those 50 attack events, 33 were single vector attacks using cldap reflection exclusively. Figure 1 provides a timeline of attacks, showing attack size and detailing if the attack was single or multi-vector. While the gaming industry is typically the most targeted industry for attacks, observed cldap attacks have mostly been targeting the software & technology industry along with six other industries.  Figure 1: CLDAP reflection attacks from October 14, 2016 – January 13 2017. Attacks with additional vectors are orange.
Threat Advisory: CLDAP Reflection DDoS 3 2.1 / Highlighted Attack Attributes / On January 7, 2017, the largest DDoS attack using cldap reflection as the sole vector was observed and mitigated by Akamai. Attributes of the attack were as follows: • Industry Vertical: Internet Telecom • Peak Bandwidth: 24 Gigabits per second • Peak Packets per Second: 2 Million Packets per second • Attack Vector: cldap • Source Port: 389 • Destination Port: Random   Figure 2: Target industry count for DDoS attacks containing CLDAP reflection. CLDAP Reflection Attack — Largest Observed Response is 3,662 Bytes: 17:35:25.728099 IP A.A.A.A.389 Z.Z.Z.Z.46414: UDP, bad length 3006 1472 17:35:25.728102 IP B.B.B.B.389 Z.Z.Z.Z.38980: UDP, bad length 3662 1472 17:35:25.728106 IP A.A.A.A Z.Z.Z.Z: ip-proto-17 17:35:25.728110 IP A.A.A.A Z.Z.Z.Z: ip-proto-17 17:35:25.728115 IP B.B.B.B Z.Z.Z.Z: ip-proto-17 17:35:25.728127 IP B.B.B.B Z.Z.Z.Z: ip-proto-17 Figure 3: CLDAP reflection attack signature with 3,006 and 3,662 of respective response data.
Threat Advisory: CLDAP Reflection DDoS 4 Signatures of this attack reveal that it is capable of impressive amplification factors. After the first few waves of attacks using cldap, Akamai sirt was able to obtain sample malicious Lightweight Directory Access Protocol (ldap) reflection queries. The query payload is only 52 bytes and is discussed further in the “attack cldap overview” section. This means that, the Base Amplification Factor (baf) for the attack data payload of 3,662 bytes, and a query payload of 52 bytes, was 70x , although only one host was revealed to exhibit that response size. Post attack analysis showed that the average amplification during this attack was 56.89x. This 24 Gbps attack was the largest mitigated by Akamai to date. In contrast, the smallest observed attack Akamai has seen using this vector was 300 Mbps, and the average attack bandwidth for a cldap attack has been 3 Gbps. 2.2 / Attack CLDAP Overview / First described in rfc 1798, cldap has had additional functionality added by Microsoft. It was intended as an efficient alternative to ldap queries over Transmission Control Protocol (tcp). Consequently, cldap does not support the full features available in ldap. During the initial stages of this attack, Akamai SIRT observed the following malicious cldap queries attempting to reflect ldap response data to various targets. Figure 4 contains the queries observed during an actual cldap reflection attack. These were sourced from a handful of servers (the intended targets) destined for a few ldap hosts. Using the same data payloads observed above, this query could be easily reproduced using a tool such as Scapy. Lab tests were conducted using a virtualized instance of Windows Server and Linux with Scapy. Sending the query from the Linux host to the Windows server initially produced no response. However, once the Windows server was setup as a domain controller, and began to listen on udp and tcp port 389, the following transaction was captured. 13:55:57.962697 IP X.X.X.X.57852 X.X.X.X.389: UDP, length 52 13:55:57.963784 IP X.X.X.X.33850 X.X.X.X.389: UDP, length 52 13:55:57.964392 IP X.X.X.X.47097 X.X.X.X.389: UDP, length 52 13:55:57.965226 IP X.X.X.X.47728 X.X.X.X.389: UDP, length 52 Figure 4: Malicious CLDAP queries sent to destination port 389. Only 52 bytes of data per query.
Threat Advisory: CLDAP Reflection DDoS 5 The first 2 response payloads contained most of the data at a size of 1,472 bytes and 1,480 respectively. The last fragment contained the remaining 10 bytes. This is from a fresh instance of Windows Server 2012 r2, with no other option or setting adjustment. Other versions may produce different payload sizes.   Figure 5: CLDAP query packet. CLDAP Query Test and Response in a Lab Test 11:37:04.281079 IP linux_host.23424 windows_server.389: UDP, length 52 11:37:04.282207 IP windows_server.389 linux_host.23424: UDP, bad length 2962 1472 11:37:04.282223 IP windows_server linux_host: ip-proto-17 11:37:04.282227 IP windows_server linux_host: ip-proto-17 CLDAP Sample of Printable Response Text Packet 1 2[`0vdm0e0currentTime120170213163705.0Z0WsubschemaSubentry1CN=Aggregate,CN=Schema,CN=Configu- ration,DC=locallab,DC=local0 dsServiceName1zxCN=NTDS Settings,CN=WIN-U5K3VOF1HE3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,D- C=locallab,DC snip Packet 2 snip WIN-U5K3VOF1HE3.locallab.local0GldapServiceName10.locallab.local:win-u5k3vof1he3$@LOCALLAB.LOCAL0{ serverName1igCN=WIN-U5K3VOF1HE3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=locall ab,DC=local0supportedCapabilities11.2.840. 113556.1.4.8001.2.840.113556.1.4.16701.2.840.113556.1.4.17911.2.840. 113556.1.4.19351.2.840.113556.1.4.20801.2.840.113556.1.4.22370isSynchronized1TRUE0”isGlobalCatalogReady1TR UE0domainFunctionality160forestFunctionality160(domainControllerFunctionality160e Figure 6: CLDAP query to Windows 2012 server with 2,962 byte reply.
Threat Advisory: CLDAP Reflection DDoS 6 The message size and contents can vary from what was observed during these attacks. This includes server configuration parameters and other settings. The observed reflection-based attacks are launched using so called “attack scripts”. These attack scripts are usually written using the c-programming language, and are very similar from one vector to another. In fact, there is minimal effort required to adapt one attack script to a completely different attack vector like cldap reflection. The options commonly available with these attack scripts are target_ip, target_port, list of reflectors, and time limit. When executed, the target ip becomes the source of all of the 52 byte query payloads. These are then sent rapidly to every server in the supplied reflector list. From there, the cldap servers do as they are designed and reply to the query. As a result, the target of this attack must deal with a flood of unsolicited cldap responses. 2.3 / Source Distribution / Combined with sources collected from both the Prolexic (plx) routed mitigation solution and Akamai perimeter firewall, a total of 7,629 unique cldap reflectors were observed in attacks. The largest concentration of these were located within the u.s. This is based only on sources collected during actual cldap reflection attacks. The usable pool of cldap reflectors is larger as revealed by internet scanning. Akamai sirt also conducted an internet- wide scan for hosts exposed to cldap reflection abuse. This scan resulted in a total of 78,531 unique ip responses. While not as high as the number of hosts available with other reflection vectors with cldap, almost every host is a usable reflector. Figure 7: CLDAP lab generated response payload of 2,962 bytes. Country Count Unites States 1,871 Germany 487 United Kingdom 484 France 436 Canada 376 Other 3,975 Figure 8: CLDAP reflector source country
Threat Advisory: CLDAP Reflection DDoS 7 In fact, 78,071 of those hosts responded with more than 1,500 bytes of data. The range of response sizes was anywhere from 1 byte to the max observed in attacks of 3,662 bytes. All hosts combined averaged 2,693.67 bytes of response for a 51.8x amplification factor. 3.0 / Mitigation / Mitigation for cldap reflection begins with filtering of the port in question. The attack is fueled by the number of servers on the Internet with udp port 389 open and listening. Once a server is identified as a viable source for a cldap reflection attack, it will be added to a list of reflectors. Ingress filtering of the cldap port from the Internet will prevent discovery and subsequent abuse of this service. Most reflection methods, except dns and ntp, do not require these ports to be exposed. An alternative is to apply an ids rule, such as the snort rule below. This is specific to the requests observed so far but can be adapted to a more generic ldap search request. This rule is suitable for alerting rather than mitigating and is intended to provide an indicator of an attempt to use your systems as part of a cldap reflection attack. Country Count United States 17,980 Brazil 6,005 France 3,542 United Kingdom 3,495 Germany 3,426 China 3,177 Russian Federation 2,582 Canada 2,207 Colombia 2,072 India 1,987 Other 32,058 Figure 9: CLDAP unique source concentration by country. 2.4 / Top Countries With CLDAP Reflectors / (Internet Scan) ASN Count AS7922 2,787 AS16276 2,633 AS8075 2,443 AS18881 1,345 AS28573 1,122 AS4134 893 AS3215 884 AS8151 839 AS7018 825 AS24940 764 Other 64,302 Figure 10: CLDAP unique source centration by ASN. 2.5 / Top ASNs With CLDAP Reflectors / (Internet Scan) alert udp $EXTERNAL_NET any - $HOME_NET 389 (msg: “CLDAP DDoS Abuse request”; flow: to_server; content: “|30840000002d02010163840000002404000a01000a0100020100020100010100870b- 6f626a656374636c61737330840000000000|”; dsize:5252; classtype:Reflection-Abuse; sid: 201700001; rev:1;) Figure 11: Sample signature for detection of CLDAP abuse for potential reflectors.
Threat Advisory: CLDAP Reflection DDoS 4.0 / Conclusion / udp based reflection attacks consistently comprise more than 50% of all attacks. With new vectors being discovered regularly and many persisting for years, it’s a problem that won’t likely go away anytime soon. One of the primary solutions, is filtering by the organizations hosting these services, and by Internet Service Providers (ISPs) providing home user Internet access. Unless there is a legitimate need for an organization to have cldap available over the Internet, there should be no reason to compound the DDoS reflection problem by exposing this protocol. External auditing policies are one means to provide reporting of services that can be potentially exploited as reflection attacks. For cldap, hosts aren’t in the millions, as initially discovered with other reflection vectors, but the amplification factor has been enough to produce significant attack bandwidth with fewer hosts. Based on similarities shared by udp reflection attack scripts, it is likely that cldap has been included, or will be included, into a full attack script, and integrated into the booter/stresser infrastructure. If it has yet to be included, we may have not seen the worse of these attacks. 5.0 / References / • https://www.scmagazine.com/zero-day-ddos-attack-vector-leverages-ldap-to-amplify- malicious-traffic/article/568309/ • https://packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html • https://tools.ietf.org/html/rfc1798 • https://msdn.microsoft.com/en-us/library/gg593144.aspx • https://www.us-cert.gov/ncas/alerts/TA14-017A Non-customers can submit inquiries through Akamai’s hotline at 1-877-425-2624, the contact form on our website at http://www.akamai.com/html/forms/sales_form.html, the chat function on our website at http://www.akamai.com/, or on Twitter @akamai. To access other white papers, threat advisories, and research publications, please visit our Security Research and Intelligence section on the Akamai Community. ©2017 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 04/17. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations. About Akamai® As the global leader in Content Delivery Network (cdn) services, Akamai makes the Internet fast, reliable and secure for its customers. The company’s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.

Empfohlen

Cyber-security
Cyber-securityCyber-security
Cyber-securityQasim Zaidi
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification InfernoSriram Krishnan
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 

Empfohlen

Cyber-security
Cyber-securityCyber-security
Cyber-securityQasim Zaidi
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification InfernoSriram Krishnan
 
Ddos and mitigation methods.pptx
Ddos and mitigation methods.pptxDdos and mitigation methods.pptx
Ddos and mitigation methods.pptxOzkan E
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.pptwei mingyang
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and MitigationDevang Badrakiya
 
An Empirical Evaluation of TCP Performance in Online Games
An Empirical Evaluation of TCP Performance in Online GamesAn Empirical Evaluation of TCP Performance in Online Games
An Empirical Evaluation of TCP Performance in Online GamesAcademia Sinica
 
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMSTRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMSIJNSA Journal
 
DepenDNS Analysis
DepenDNS AnalysisDepenDNS Analysis
DepenDNS AnalysisSAIFUR RAHMAN
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
9534715
95347159534715
9534715Pavel Odintsov
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPvanhoefm
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IPSukh Sandhu
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
NTP Final Report
NTP Final ReportNTP Final Report
NTP Final ReportAndrew McGarry
 
London HUG 15/8/17 - Lifeguard
London HUG 15/8/17 - LifeguardLondon HUG 15/8/17 - Lifeguard
London HUG 15/8/17 - LifeguardLondon HashiCorp User Group
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
Vehicular ad hoc_networks
Vehicular ad hoc_networksVehicular ad hoc_networks
Vehicular ad hoc_networksAbdulrub Moshin
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
internet applications
internet applications internet applications
internet applicationsSrinivasa Rao
 
SSL basics and SSL packet analysis using wireshark
SSL basics and SSL packet analysis using wiresharkSSL basics and SSL packet analysis using wireshark
SSL basics and SSL packet analysis using wiresharkAl Imran, CISA
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Investigating the Use of Synchronized Clocks in TCP Congestion Control
Investigating the Use of Synchronized Clocks in TCP Congestion ControlInvestigating the Use of Synchronized Clocks in TCP Congestion Control
Investigating the Use of Synchronized Clocks in TCP Congestion ControlMichele Weigle
 
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...Seung-gyu Byeon
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
UDP Flood Attack.pptx
UDP Flood Attack.pptxUDP Flood Attack.pptx
UDP Flood Attack.pptxdawitTerefe5
 

Weitere ähnliche Inhalte

Was ist angesagt?

透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.pptwei mingyang
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and MitigationDevang Badrakiya
 
An Empirical Evaluation of TCP Performance in Online Games
An Empirical Evaluation of TCP Performance in Online GamesAn Empirical Evaluation of TCP Performance in Online Games
An Empirical Evaluation of TCP Performance in Online GamesAcademia Sinica
 
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMSTRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMSIJNSA Journal
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPvanhoefm
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IPSukh Sandhu
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
Vehicular ad hoc_networks
Vehicular ad hoc_networksVehicular ad hoc_networks
Vehicular ad hoc_networksAbdulrub Moshin
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
internet applications
internet applications internet applications
internet applicationsSrinivasa Rao
 
SSL basics and SSL packet analysis using wireshark
SSL basics and SSL packet analysis using wiresharkSSL basics and SSL packet analysis using wireshark
SSL basics and SSL packet analysis using wiresharkAl Imran, CISA
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Investigating the Use of Synchronized Clocks in TCP Congestion Control
Investigating the Use of Synchronized Clocks in TCP Congestion ControlInvestigating the Use of Synchronized Clocks in TCP Congestion Control
Investigating the Use of Synchronized Clocks in TCP Congestion ControlMichele Weigle
 
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...Seung-gyu Byeon
 

Was ist angesagt? (20)

透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.ppt
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and Mitigation
 
An Empirical Evaluation of TCP Performance in Online Games
An Empirical Evaluation of TCP Performance in Online GamesAn Empirical Evaluation of TCP Performance in Online Games
An Empirical Evaluation of TCP Performance in Online Games
 
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMSTRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS
 
DepenDNS Analysis
DepenDNS AnalysisDepenDNS Analysis
DepenDNS Analysis
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
9534715
95347159534715
9534715
 
Informal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIPInformal Presentation on WPA-TKIP
Informal Presentation on WPA-TKIP
 
Security problems in TCP/IP
Security problems in TCP/IPSecurity problems in TCP/IP
Security problems in TCP/IP
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 
NTP Final Report
NTP Final ReportNTP Final Report
NTP Final Report
 
London HUG 15/8/17 - Lifeguard
London HUG 15/8/17 - LifeguardLondon HUG 15/8/17 - Lifeguard
London HUG 15/8/17 - Lifeguard
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
Vehicular ad hoc_networks
Vehicular ad hoc_networksVehicular ad hoc_networks
Vehicular ad hoc_networks
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
internet applications
internet applications internet applications
internet applications
 
SSL basics and SSL packet analysis using wireshark
SSL basics and SSL packet analysis using wiresharkSSL basics and SSL packet analysis using wireshark
SSL basics and SSL packet analysis using wireshark
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
Investigating the Use of Synchronized Clocks in TCP Congestion Control
Investigating the Use of Synchronized Clocks in TCP Congestion ControlInvestigating the Use of Synchronized Clocks in TCP Congestion Control
Investigating the Use of Synchronized Clocks in TCP Congestion Control
 
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...
Mncs 16-08-3주-변승규-opportunistic flooding in low-duty-cycle wireless sensor ne...
 

Ähnlich wie Cldap threat-advisory

redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
UDP Flood Attack.pptx
UDP Flood Attack.pptxUDP Flood Attack.pptx
UDP Flood Attack.pptxdawitTerefe5
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7Sergey Yrievich
 
Paper id 41201622
Paper id 41201622Paper id 41201622
Paper id 41201622IJRAT
 
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...Amazon Web Services
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Debugging with-wireshark-niels-de-vos
Debugging with-wireshark-niels-de-vosDebugging with-wireshark-niels-de-vos
Debugging with-wireshark-niels-de-vosGluster.org
 
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEA MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
 
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEA MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
 
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEA MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standardarnaudlh
 

Ähnlich wie Cldap threat-advisory (20)

redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
UDP Flood Attack.pptx
UDP Flood Attack.pptxUDP Flood Attack.pptx
UDP Flood Attack.pptx
 
DDoS.ppt
DDoS.pptDDoS.ppt
DDoS.ppt
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Отчет Audit report RAPID7
Отчет Audit report RAPID7 Отчет Audit report RAPID7
Отчет Audit report RAPID7
 
Report PAPID 7
Report PAPID 7Report PAPID 7
Report PAPID 7
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
 
Tunneling
TunnelingTunneling
Tunneling
 
Paper id 41201622
Paper id 41201622Paper id 41201622
Paper id 41201622
 
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
(SEC307) Building a DDoS-Resilient Architecture with Amazon Web Services | AW...
 
MAJOR PROJECT.pptx
MAJOR PROJECT.pptxMAJOR PROJECT.pptx
MAJOR PROJECT.pptx
 
D do s
D do sD do s
D do s
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Debugging with-wireshark-niels-de-vos
Debugging with-wireshark-niels-de-vosDebugging with-wireshark-niels-de-vos
Debugging with-wireshark-niels-de-vos
 
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEA MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
 
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEA MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
 
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEA MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUE
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
 

Mehr von Andrey Apuhtin

Shadow pad technical_description_pdf
Shadow pad technical_description_pdfShadow pad technical_description_pdf
Shadow pad technical_description_pdfAndrey Apuhtin
 
Ftc cdt-vpn-complaint-8-7-17
Ftc cdt-vpn-complaint-8-7-17Ftc cdt-vpn-complaint-8-7-17
Ftc cdt-vpn-complaint-8-7-17Andrey Apuhtin
 
Hutchins redacted indictment
Hutchins redacted indictmentHutchins redacted indictment
Hutchins redacted indictmentAndrey Apuhtin
 
Dr web review_mob_july_2017
Dr web review_mob_july_2017Dr web review_mob_july_2017
Dr web review_mob_july_2017Andrey Apuhtin
 
Nexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enNexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enAndrey Apuhtin
 
Pandalabs отчет за 1 квартал 2017
Pandalabs отчет за 1 квартал 2017Pandalabs отчет за 1 квартал 2017
Pandalabs отчет за 1 квартал 2017Andrey Apuhtin
 
Lookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysisLookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysisAndrey Apuhtin
 
Apwg trends report_q4_2016
Apwg trends report_q4_2016Apwg trends report_q4_2016
Apwg trends report_q4_2016Andrey Apuhtin
 
News berthaume-sentencing-jan2017
News berthaume-sentencing-jan2017News berthaume-sentencing-jan2017
News berthaume-sentencing-jan2017Andrey Apuhtin
 
Windows exploitation-2016-a4
Windows exploitation-2016-a4Windows exploitation-2016-a4
Windows exploitation-2016-a4Andrey Apuhtin
 

Mehr von Andrey Apuhtin (20)

Shadow pad technical_description_pdf
Shadow pad technical_description_pdfShadow pad technical_description_pdf
Shadow pad technical_description_pdf
 
Ftc cdt-vpn-complaint-8-7-17
Ftc cdt-vpn-complaint-8-7-17Ftc cdt-vpn-complaint-8-7-17
Ftc cdt-vpn-complaint-8-7-17
 
Hutchins redacted indictment
Hutchins redacted indictmentHutchins redacted indictment
Hutchins redacted indictment
 
Dr web review_mob_july_2017
Dr web review_mob_july_2017Dr web review_mob_july_2017
Dr web review_mob_july_2017
 
Dmarc
DmarcDmarc
Dmarc
 
Nexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enNexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_en
 
Pandalabs отчет за 1 квартал 2017
Pandalabs отчет за 1 квартал 2017Pandalabs отчет за 1 квартал 2017
Pandalabs отчет за 1 квартал 2017
 
Sel03129 usen
Sel03129 usenSel03129 usen
Sel03129 usen
 
Lookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysisLookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysis
 
Rand rr1751
Rand rr1751Rand rr1751
Rand rr1751
 
Apwg trends report_q4_2016
Apwg trends report_q4_2016Apwg trends report_q4_2016
Apwg trends report_q4_2016
 
Browser history
Browser historyBrowser history
Browser history
 
Software
SoftwareSoftware
Software
 
Antivirus
AntivirusAntivirus
Antivirus
 
Https interception
Https interceptionHttps interception
Https interception
 
Wilssc 006 xml
Wilssc 006 xmlWilssc 006 xml
Wilssc 006 xml
 
News berthaume-sentencing-jan2017
News berthaume-sentencing-jan2017News berthaume-sentencing-jan2017
News berthaume-sentencing-jan2017
 
Windows exploitation-2016-a4
Windows exploitation-2016-a4Windows exploitation-2016-a4
Windows exploitation-2016-a4
 
Mw stj 08252016_2
Mw stj 08252016_2Mw stj 08252016_2
Mw stj 08252016_2
 
150127iotrpt
150127iotrpt150127iotrpt
150127iotrpt
 

Kürzlich hochgeladen

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 

Kürzlich hochgeladen (20)

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 

Cldap threat-advisory

  • 1. THREAT ADVISORY CLDAP Reflection DDoS Risk Factor: Medium TLP: Green Authors: Jose Arteaga & Wilber Mejia
  • 2. Threat Advisory: CLDAP Reflection DDoS 2 Issue Date: 4.3.17 1.0 / Overview / On October 14, 2016, the Akamai Security Operation Center (soc) began mitigating attacks for what was suspected to be Connection-less Lightweight Directory Access Protocol (cldap) reflection. This new reflection and amplification method has since been confirmed by the Akamai Security Intelligence Response Team (sirt) and has been observed producing Distributed Denial of Service (DDoS) attacks, comparable to Domain Name System (dns) reflection in that most exceed 1 Gbps. Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place. Potential hosts are discovered using internet scans, and filtering User Datagram Protocol (udp) destination port 389, to eliminate the discovery of another potential host fueling attacks. This advisory will cover the distribution of these sources, methods of attack, and target industries observed. 2.0 / Attack Timeline / Since October 2016, Akamai has detected and mitigated a total of 50 cldap reflection attacks. Of those 50 attack events, 33 were single vector attacks using cldap reflection exclusively. Figure 1 provides a timeline of attacks, showing attack size and detailing if the attack was single or multi-vector. While the gaming industry is typically the most targeted industry for attacks, observed cldap attacks have mostly been targeting the software & technology industry along with six other industries.  Figure 1: CLDAP reflection attacks from October 14, 2016 – January 13 2017. Attacks with additional vectors are orange.
  • 3. Threat Advisory: CLDAP Reflection DDoS 3 2.1 / Highlighted Attack Attributes / On January 7, 2017, the largest DDoS attack using cldap reflection as the sole vector was observed and mitigated by Akamai. Attributes of the attack were as follows: • Industry Vertical: Internet Telecom • Peak Bandwidth: 24 Gigabits per second • Peak Packets per Second: 2 Million Packets per second • Attack Vector: cldap • Source Port: 389 • Destination Port: Random   Figure 2: Target industry count for DDoS attacks containing CLDAP reflection. CLDAP Reflection Attack — Largest Observed Response is 3,662 Bytes: 17:35:25.728099 IP A.A.A.A.389 Z.Z.Z.Z.46414: UDP, bad length 3006 1472 17:35:25.728102 IP B.B.B.B.389 Z.Z.Z.Z.38980: UDP, bad length 3662 1472 17:35:25.728106 IP A.A.A.A Z.Z.Z.Z: ip-proto-17 17:35:25.728110 IP A.A.A.A Z.Z.Z.Z: ip-proto-17 17:35:25.728115 IP B.B.B.B Z.Z.Z.Z: ip-proto-17 17:35:25.728127 IP B.B.B.B Z.Z.Z.Z: ip-proto-17 Figure 3: CLDAP reflection attack signature with 3,006 and 3,662 of respective response data.
  • 4. Threat Advisory: CLDAP Reflection DDoS 4 Signatures of this attack reveal that it is capable of impressive amplification factors. After the first few waves of attacks using cldap, Akamai sirt was able to obtain sample malicious Lightweight Directory Access Protocol (ldap) reflection queries. The query payload is only 52 bytes and is discussed further in the “attack cldap overview” section. This means that, the Base Amplification Factor (baf) for the attack data payload of 3,662 bytes, and a query payload of 52 bytes, was 70x , although only one host was revealed to exhibit that response size. Post attack analysis showed that the average amplification during this attack was 56.89x. This 24 Gbps attack was the largest mitigated by Akamai to date. In contrast, the smallest observed attack Akamai has seen using this vector was 300 Mbps, and the average attack bandwidth for a cldap attack has been 3 Gbps. 2.2 / Attack CLDAP Overview / First described in rfc 1798, cldap has had additional functionality added by Microsoft. It was intended as an efficient alternative to ldap queries over Transmission Control Protocol (tcp). Consequently, cldap does not support the full features available in ldap. During the initial stages of this attack, Akamai SIRT observed the following malicious cldap queries attempting to reflect ldap response data to various targets. Figure 4 contains the queries observed during an actual cldap reflection attack. These were sourced from a handful of servers (the intended targets) destined for a few ldap hosts. Using the same data payloads observed above, this query could be easily reproduced using a tool such as Scapy. Lab tests were conducted using a virtualized instance of Windows Server and Linux with Scapy. Sending the query from the Linux host to the Windows server initially produced no response. However, once the Windows server was setup as a domain controller, and began to listen on udp and tcp port 389, the following transaction was captured. 13:55:57.962697 IP X.X.X.X.57852 X.X.X.X.389: UDP, length 52 13:55:57.963784 IP X.X.X.X.33850 X.X.X.X.389: UDP, length 52 13:55:57.964392 IP X.X.X.X.47097 X.X.X.X.389: UDP, length 52 13:55:57.965226 IP X.X.X.X.47728 X.X.X.X.389: UDP, length 52 Figure 4: Malicious CLDAP queries sent to destination port 389. Only 52 bytes of data per query.
  • 5. Threat Advisory: CLDAP Reflection DDoS 5 The first 2 response payloads contained most of the data at a size of 1,472 bytes and 1,480 respectively. The last fragment contained the remaining 10 bytes. This is from a fresh instance of Windows Server 2012 r2, with no other option or setting adjustment. Other versions may produce different payload sizes.   Figure 5: CLDAP query packet. CLDAP Query Test and Response in a Lab Test 11:37:04.281079 IP linux_host.23424 windows_server.389: UDP, length 52 11:37:04.282207 IP windows_server.389 linux_host.23424: UDP, bad length 2962 1472 11:37:04.282223 IP windows_server linux_host: ip-proto-17 11:37:04.282227 IP windows_server linux_host: ip-proto-17 CLDAP Sample of Printable Response Text Packet 1 2[`0vdm0e0currentTime120170213163705.0Z0WsubschemaSubentry1CN=Aggregate,CN=Schema,CN=Configu- ration,DC=locallab,DC=local0 dsServiceName1zxCN=NTDS Settings,CN=WIN-U5K3VOF1HE3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,D- C=locallab,DC snip Packet 2 snip WIN-U5K3VOF1HE3.locallab.local0GldapServiceName10.locallab.local:win-u5k3vof1he3$@LOCALLAB.LOCAL0{ serverName1igCN=WIN-U5K3VOF1HE3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=locall ab,DC=local0supportedCapabilities11.2.840. 113556.1.4.8001.2.840.113556.1.4.16701.2.840.113556.1.4.17911.2.840. 113556.1.4.19351.2.840.113556.1.4.20801.2.840.113556.1.4.22370isSynchronized1TRUE0”isGlobalCatalogReady1TR UE0domainFunctionality160forestFunctionality160(domainControllerFunctionality160e Figure 6: CLDAP query to Windows 2012 server with 2,962 byte reply.
  • 6. Threat Advisory: CLDAP Reflection DDoS 6 The message size and contents can vary from what was observed during these attacks. This includes server configuration parameters and other settings. The observed reflection-based attacks are launched using so called “attack scripts”. These attack scripts are usually written using the c-programming language, and are very similar from one vector to another. In fact, there is minimal effort required to adapt one attack script to a completely different attack vector like cldap reflection. The options commonly available with these attack scripts are target_ip, target_port, list of reflectors, and time limit. When executed, the target ip becomes the source of all of the 52 byte query payloads. These are then sent rapidly to every server in the supplied reflector list. From there, the cldap servers do as they are designed and reply to the query. As a result, the target of this attack must deal with a flood of unsolicited cldap responses. 2.3 / Source Distribution / Combined with sources collected from both the Prolexic (plx) routed mitigation solution and Akamai perimeter firewall, a total of 7,629 unique cldap reflectors were observed in attacks. The largest concentration of these were located within the u.s. This is based only on sources collected during actual cldap reflection attacks. The usable pool of cldap reflectors is larger as revealed by internet scanning. Akamai sirt also conducted an internet- wide scan for hosts exposed to cldap reflection abuse. This scan resulted in a total of 78,531 unique ip responses. While not as high as the number of hosts available with other reflection vectors with cldap, almost every host is a usable reflector. Figure 7: CLDAP lab generated response payload of 2,962 bytes. Country Count Unites States 1,871 Germany 487 United Kingdom 484 France 436 Canada 376 Other 3,975 Figure 8: CLDAP reflector source country
  • 7. Threat Advisory: CLDAP Reflection DDoS 7 In fact, 78,071 of those hosts responded with more than 1,500 bytes of data. The range of response sizes was anywhere from 1 byte to the max observed in attacks of 3,662 bytes. All hosts combined averaged 2,693.67 bytes of response for a 51.8x amplification factor. 3.0 / Mitigation / Mitigation for cldap reflection begins with filtering of the port in question. The attack is fueled by the number of servers on the Internet with udp port 389 open and listening. Once a server is identified as a viable source for a cldap reflection attack, it will be added to a list of reflectors. Ingress filtering of the cldap port from the Internet will prevent discovery and subsequent abuse of this service. Most reflection methods, except dns and ntp, do not require these ports to be exposed. An alternative is to apply an ids rule, such as the snort rule below. This is specific to the requests observed so far but can be adapted to a more generic ldap search request. This rule is suitable for alerting rather than mitigating and is intended to provide an indicator of an attempt to use your systems as part of a cldap reflection attack. Country Count United States 17,980 Brazil 6,005 France 3,542 United Kingdom 3,495 Germany 3,426 China 3,177 Russian Federation 2,582 Canada 2,207 Colombia 2,072 India 1,987 Other 32,058 Figure 9: CLDAP unique source concentration by country. 2.4 / Top Countries With CLDAP Reflectors / (Internet Scan) ASN Count AS7922 2,787 AS16276 2,633 AS8075 2,443 AS18881 1,345 AS28573 1,122 AS4134 893 AS3215 884 AS8151 839 AS7018 825 AS24940 764 Other 64,302 Figure 10: CLDAP unique source centration by ASN. 2.5 / Top ASNs With CLDAP Reflectors / (Internet Scan) alert udp $EXTERNAL_NET any - $HOME_NET 389 (msg: “CLDAP DDoS Abuse request”; flow: to_server; content: “|30840000002d02010163840000002404000a01000a0100020100020100010100870b- 6f626a656374636c61737330840000000000|”; dsize:5252; classtype:Reflection-Abuse; sid: 201700001; rev:1;) Figure 11: Sample signature for detection of CLDAP abuse for potential reflectors.
  • 8. Threat Advisory: CLDAP Reflection DDoS 4.0 / Conclusion / udp based reflection attacks consistently comprise more than 50% of all attacks. With new vectors being discovered regularly and many persisting for years, it’s a problem that won’t likely go away anytime soon. One of the primary solutions, is filtering by the organizations hosting these services, and by Internet Service Providers (ISPs) providing home user Internet access. Unless there is a legitimate need for an organization to have cldap available over the Internet, there should be no reason to compound the DDoS reflection problem by exposing this protocol. External auditing policies are one means to provide reporting of services that can be potentially exploited as reflection attacks. For cldap, hosts aren’t in the millions, as initially discovered with other reflection vectors, but the amplification factor has been enough to produce significant attack bandwidth with fewer hosts. Based on similarities shared by udp reflection attack scripts, it is likely that cldap has been included, or will be included, into a full attack script, and integrated into the booter/stresser infrastructure. If it has yet to be included, we may have not seen the worse of these attacks. 5.0 / References / • https://www.scmagazine.com/zero-day-ddos-attack-vector-leverages-ldap-to-amplify- malicious-traffic/article/568309/ • https://packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html • https://tools.ietf.org/html/rfc1798 • https://msdn.microsoft.com/en-us/library/gg593144.aspx • https://www.us-cert.gov/ncas/alerts/TA14-017A Non-customers can submit inquiries through Akamai’s hotline at 1-877-425-2624, the contact form on our website at http://www.akamai.com/html/forms/sales_form.html, the chat function on our website at http://www.akamai.com/, or on Twitter @akamai. To access other white papers, threat advisories, and research publications, please visit our Security Research and Intelligence section on the Akamai Community. ©2017 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 04/17. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations. About Akamai® As the global leader in Content Delivery Network (cdn) services, Akamai makes the Internet fast, reliable and secure for its customers. The company’s advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.