The problem with a new, zero-day amplification vector like LDAP is that it isn't diffused, said Dave Larson the CTO of Corero Network Security. Since only a small number of attackers know about it, they can use the full capacity of these exposed LDAP servers to launch attacks. That's not the case with DNS servers for example, which have been mapped and are used for reflection and amplifications by many attackers at the same time, limiting the size of their individual attacks, he explained.
Another thing is that blacklists already exist for DNS, NTP and other type of servers that have constantly been abused in DDoS attacks. Such lists don't likely exist yet for LDAP servers.
The size of DDoS attacks has reached unprecedented levels in recent months, partially because of large numbers of compromised internet-of-things devices. Last month, the blog of cybersecurity reporter Brian Krebs was hit with a 620Gbps DDoS attack launched from a botnet of thousands of hacked routers, IP cameras and digital video recorders. A few days later, French hosting company OVH was hit with a 799Gbps attack from a similar botnet.
Last week, a DDoS attack launched against managed DNS provider Dynamic Network Services (Dyn) rendered many popular websites inaccessible to users on the U.S. East Coast.
Corero's Larson believes that increasing numbers of insecure IoT devices combined with new amplification vectors could lead to multiterabit attacks over the next year and even attacks that reach 10Tbps in the future.
Sign up for Computerworld eNewsletters.