CERT-Bund Reports:
Openly accessible LDAP servers
The Lightweight Directory Access Protocol (LDAP) is a networking protocol for accessing and maintaining distributed directory information services.
Problem
Openly accessible LDAP servers can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.
Verification
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.
To check if an LDAP server is openly accessible from the Internet, you can use the 'ldapsearch' tool:
$ ldapsearch -x -h 192.168.45.67 -s base
An openly accessible LDAP server will return information like this:
dn:
currentTime: 20161227101121.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=DE
dsServiceName: CN=NTDS Settings,CN=SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN,DC=DE
namingContexts: DC=MYDOMAIN,DC=de
namingContexts: CN=Configuration,DC=MYDOMAIN,DC=de
namingContexts: CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=de
defaultNamingContext: DC=MYDOMAIN,DC=de
schemaNamingContext: CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=de
configurationNamingContext: CN=Configuration,DC=MYDOMAIN,DC=de
rootDomainNamingContext: DC=MYDOMAIN,DC=de
Otherwise, ldapsearch will run into a timeout.
Solution
- Restrict access to the LDAP server to trusted clients, e. g. by blocking incoming connections to ports 389/tcp and 389/udp on the firewall.
- Use LDAP with StartTLS or LDAPS (LDAP over TLS/SSL) which provides secure and encrypted communication between clients and the LDAP server.
Further information
- Wikipedia: Lightweight Directory Access Protocol
- f5: Old Protocols, New Exploits: LDAP Unwittingly Serves DDoS Amplification Attacks
- Corero: Corero Warns of Powerful New DDoS Attack Vector with Potential for Terabit-Scale DDoS Events
- 360.com: CLDAP is Now the No.3 Reflection Amplified DDoS Attack Vector, Surpassing SSDP and CharGen
