Internet Accessible LDAP Servers
Description
The Lightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol that runs over TCP/IP or other connection oriented transfer services. It is used for accessing and maintaining directory information services. The core functionality of LDAP lies in the interaction between the client and the LDAP server. When a client makes a request to the LDAP server, the request is sent to the LDAP server; the server processes the entire transaction and then sends the results of the transaction back to the client. This is different from other protocols where the server and the client may communicate several times during the course of one transaction. In the default configuration.
LDAP listens on port 389/TCP or port 389/UDP.
Problem
A server that uses connectionless LDAP (CLDAP), a variant of LDAP that uses UDP as its transport protocol, and which is openly accessible on the Internet may be abused for a Distributed Denial-of-Service (DRDoS) Reflection/Amplification attack against a third party. Extremely high amplification factors can be achieved by combining the functionality of both UDP and LDAP to amplify the amount of attack traffic which poses a serious security threat.
LDAP is used by attackers to perform reconnaissance or recon, the process of investigating and identifying weak spots in an organization’s network. Mapping an organisation’s attack surface and analyzing the domain for critical data, misconfiguration’s or system vulnerabilities, helps attackers plan their attacks and establish a foothold that eventually leads to compromise.
An attacker can, on successfully binding to a LDAP Server, launch a Brute Force or Credential Stuffing attack using the automated injection of stolen username and password pairs in order to gain unauthorized access to user accounts. Using automation tools, large numbers of compromised credentials are automatically entered into an application until success is achieved. Once account takeover is achieved, account data can be stolen, fraudulent transaction initiated, or the account can be used for other criminal activities. An important enabler for credential stuffing is the tendency of users to reuse passwords across more than one application.
Verification
To establish if a host has an openly accessible service on the Internet, utility programs included with a standard Linux/Ubuntu distribution can be used. The test should not be run on the host itself or from the local network but instead from a different node on the Internet.
To confirm if a LDAP server is openly accessible from the internet, the utility program ldapsearch can be used as follows:
In the following example, replace the TARGET_IP with the IP address of the LDAP host. $ ldapsearch -x -h TARGET_IP -s base
An openly accessible LDAP server will return information on the Active Directory service similar in format to the following output:
currentTime: 20200220105711.0ZsubschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=Domain,DC=comdsServiceName: CN=NTDS Settings,CN=SERVERNAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=com namingContexts: DC=Domain,DC=comnamingContexts: CN=Configuration,DC=Domain,DC=comnamingContexts: CN=Schema,CN=Configuration,DC=Domain,DC=comdefaultNamingContext: DC=Domain,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=Domain,DC=comconfigurationNamingContext: CN=Configuration,DC=Domain,DC=comrootDomainNamingContext: DC=Domain,DC=com
Otherwise, ldapsearch will timeout.
Note: In the example above, only default Active Directory settings are displayed for security reasons.
Solution
On the firewall, restrict access to the LDAP server to trusted clients by blocking incoming connections to port 389/TCP and port 389/UDP.
LDAP transmits communications in clear text. Credentials are passed over the network unencrypted. The implementation of StartTLS (LDAP over TLS) or LDAPS (LDAP over TLS/SSL) provides secure and encrypted communication between client and LDAP server.
Additional information on StartTLS and LDAPS
StartTLS in an extension to the LDAP protocol which uses the Transport Layer Security (TLS) protocol to encrypt communication. A normal unsecured connection is first established between client and LDAP server before a handshake negotiation is carried out. The LDAP server sends its certificate to the client to prove its identity before the secure connection is established. StartTLS is primarily intended as a countermeasure to passive monitoring.
LDAPS is the non-standardized LDAP protocol which uses the Secure Socket Layer (SSL) protocol to communication over secure port 636/TCP. A secure connection is first established before there is any communication with the LDAP server. To enable LDAPS, you must install a SSL certificate.
Supplementary Information
Ingress & Egress Filtering
Filter | Description |
---|---|
Ingress Filtering | Ingress filtering is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network. |
Egress Filtering | Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network.Port used for remote syslog capture |
The implementation of best practice in relation to Ingress filtering limits the impact of a Denial
of Service (DoS) attack on one's own network while the implementation of best practice in relation to
Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on
networks of other organisations. Additional information on Ingress & Egress Filtering can be found
at the following link -
Ingress & Engress Filtering
UDP Based Denial-of-Service (DoS) Attack
The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a
number of properties that makes it susceptible to exploitation for DoS attacks against third parties.
Additional information on the components and techniques deployed in an UDP based DoS attack can be found
at the following link -
UDP Based Denial-of-Service (DoS) Attack