Tag Archives: ddos news

DDoS still the mainstay of Aussie cyber crime

New study finds denial of service still king despite ransomware rise. Distributed Denial of Service (DDoS) attacks are still the tool of choice for cybercriminals targeting Australian organisations despite the recent influx of ransomware. The study from NTT Group found that 22 per cent of all attacks targeting Australia were related to denial of service. This was only topped by service specific attacks at 23 per cent and was above website application attacks at 20 per cent. Locally, three industries were targeted in 81 per cent of all attacks, finance at 34 per cent, retail at 27 per cent and followed by business and professional services at 20 per cent. The study found that more than 93 per cent of malware detected in the country was some form of Trojan. Ransomware falls into the Trojan family and is the most prevalent form of malware attack in Australia. The country is also experiencing a change in attacks on applications according to the report with over 70 per cent of application attacks against local companies attempting remote code execution. The study analysed data collected from NTT Group’s operating companies, including NTT Security, Dimension Data, NTT Communications and NTT Data, and data from the Global Threat Intelligence Center (formerly known as SERT), between 1 October 2015 and 31 September 2016. The combined entities have a view of more than 40 per cent of global internet traffic. The report backed up findings from similar studies which showed ransomware is now the most prevalent form of cybercrime. Further, the study found that 77 per cent of ransomware analysed was targeting one of four market sectors. These Included: business and professional services (28 per cent); government (19 per cent), health care (15 per cent) and retail (15 per cent). The report also found that despite attention being paid to attacks on newer vulnerabilities, many cyber criminals rely on less technical means to achieve their objectives. The phishing email is still by far the dominant method for malware delivery, responsible for 73 per cent of all malware delivered to organisations, with government (65 per cent) and business and professional services (25 per cent) as the industry sectors most likely to be attacked at a global level. In terms of phishing attacks by country, the US leads the pack at 41 per cent, closely followed by The Netherlands with 38 per cent. France was in third place well behind the top two with 5 per cent. For industry specific attacks, finance was the most commonly attacked industry globally, subject to 14 per cent of all attacks. The finance sector was the only sector to appear in the top three across all geographic regions analysed, while manufacturing appeared in the top three in five of the six regions. Government (14 per cent) and manufacturing (13 per cent ) were the next two most commonly attacked industry sectors. “Our end goal is not to create fear, uncertainty and doubt or to over-complicate the current state of the threat landscape, but to make cybersecurity interesting and inclusive for anyone facing the challenges of security attacks, not just security professionals,” NTT Security Vice President Threat Intelligence & Incident Response, Steven Bullitt, said. “We want to ensure everyone is educated about these issues and understands that they have a personal responsibility when it comes to the protection of their organisation, and that the organisation has an obligation to help them do so,” he said. Source: https://www.arnnet.com.au/article/618243/ddos-still-mainstay-aussie-cyber-crime/

Link:
DDoS still the mainstay of Aussie cyber crime

8 DDoS Attacks That Made Enterprises Rethink IoT Security

Distributed Denial of Service Disasters The overall frequency of distributed denial of service (DDoS) attacks increased in 2016 thanks, in part, to Internet of Things botnets, according to information service provider Neustar. The company said it mitigated 40 percent more DDoS attacks from January through November, compared to the year earlier. Neustar warned that as botnet code assemblies are published, dangerous new DDoS developments will continue to emerge, such as persistent device enrollment, which enables botnet operators to maintain control of a device even after it’s rebooted. From colleges to entire U.S. regions, here are eight situations where vulnerable IoT devices brought down networks. DDoS Attack Affects U.S. College For 54 Hours A distributed denial of service attack on a college in February, recently made public by security firm Incapsula, affected that institution’s network for 54 hours straight. Incapsula recently revealed the attack, noting that the attackers seemed adept at launching application layer assaults on vulnerable IoT devices. “Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” according to an Incapsula spokesperson in a blog post. “Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers.” DDoS Attack Takes Down Netflix, Twitter An October DDoS attack – which was launched through IoT devices and blocked an array of websites – deepened the industry’s concerns over the security risk of the Internet of Things. The denial of service attack was launched through Internet of Things consumer devices, including webcams, routers and video recorders, to overwhelm servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites. The attack on Dyn, which connects users to websites such as Twitter and Netflix, came from tens of millions of addresses on devices infected with malicious software codes, knocking out access by flooding websites with junk data. DDoS Attack Through Vending Machines Hits University Verizon’s preview of its 2017 Data Breach Digest in February revealed that an unnamed university was hit by a DDoS attack launched through vending machines, lights, and 5,000 other IoT devices. According to Verizon, an incident commander noticed that “name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood.” While administrators were locked out, the university intercepted “the clear text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update.” DDoS Attacks Attempted Against Campaign Websites of Hillary Clinton And Donald Trump According to security firm Flashpoint, hackers attempted four Mirai botnet DDoS attacks in November against the campaign websites of Hillary Clinton and Donald Trump. According to Flashpoint, the company observed a 30-second HTTP Layer 7 (application layer) attack against Trump’s website, while the next day, it saw attacks against both Trump and Clinton’s campaign sites. While attacks were attempted, neither website observed or reported outages. “Flashpoint assesses with moderate confidence that the Mirai botnet has been fractured into smaller, competing botnets due to the release of its source code, which has led to the proliferation of actors exploiting the botnet’s devices,” a spokesperson wrote on Flashpoint’s website. BBC Domain Downed By By DDoS Attack On New Year’s Eve 2016, the BBC’s website was hit by a DDoS attack that downed its entire domain – including on-demand television and radio player – for more than three hours. While BBC originally said that it was undergoing a technical issue, the broadcaster’s news organization later said the outage was a result of a DDoS attack, according to “sources within the BBC.” Russian Banks Hit With Waves Of DDoS Attacks In November, at least five Russian banks, including Sberbank and Alfabank banks, were the victims of prolonged DDoS attacks that lasted over two days. According to Security Affairs, the attack came from a wide-scale botnet involving up to 24,000 computers and IoT devices that were located in 30 countries. The banks’ online clients services were not disrupted. According to security firm Kaspersky Lab, the incident was the first time that massive DDoS attacks hit Russian banks in 2016. Rio Olympics Organizations Hit By DDoS Attack Staged By LizardStresser Arbor Networks’ security engineering and response team revealed in a statement that several organizations affiliated with the Olympics came under “large-scale volumetric” DDoS attacks beginning in September 2015. “A large proportion of the attack volume consisted of UDP reflection and amplification attack vectors such as DNS, chargen, ntp, and SSDP, along with direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services,” said Arbor Networks in a statement. According to Arbor Networks, a DDoS-for-hire service, called LizardStresser, staged most of the pre-Olympic attacks. Despite the attacks, Arbor Networks performed several mitigation measures to help Olympics administrators keep their systems running. Brian Krebs’ Website Experienced DDoS Attack In September 2016, security investigative reporter Brian Krebs’ information blog experienced a DDoS attack. The attack reportedly placed peak traffic at around 620 Gbps. Krebs determined a Mirai botnet was responsible for the attack: “The source code that powers the IoT botnet responsible for launching the historically large DDoS attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices,” he stated on his blog. “My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems,” said Krebs in the blog post. Source: http://www.crn.com/slide-shows/internet-of-things/300084663/8-ddos-attacks-that-made-enterprises-rethink-iot-security.htm

Original post:
8 DDoS Attacks That Made Enterprises Rethink IoT Security

Brit behind Titanium Stresser DDoS malware sent to chokey

20-year-old Herts man slapped with two years’ stripey suntan time A Hertfordshire man has been jailed for two years after netting nearly £400,000 from the malware he wrote as a 15-year-old student.…

See more here:
Brit behind Titanium Stresser DDoS malware sent to chokey

How can you prepare for a cyber attack?

Keeping your data secure is more important than ever, but it seems like there’s a new wide-scale data breach every other week. In this article, David Mytton discusses what developers can do to prepare for what’s fast becoming inevitable. Cyber security isn’t something that can be ignored anymore or treated as a luxury concern: recent cyber attacks in the UK have shown that no one is immune. The stats are worrying – in 2016, two thirds of large businesses had a cyber attack or breach, according to Government research. Accenture paints a bleaker picture suggesting that two thirds of companies globally face these attacks weekly, or even daily. According to the Government’s 2016 cyber security breaches survey, only a third of firms have cyber security policies in place and only 10% have an emergency plan. Given management isn’t handling the threat proactively, developers and operations specialists are increasingly having to take the initiative on matters of cybersecurity. This article covers some essential priorities developers should be aware of if they want their company to be prepared for attack. Know your plan There’s no predicting when a cyber attack might come, whether it be in the form of a DDoS, a virus, malware or phishing. It’s therefore important to be constantly vigilant, and prepared for incidents when they do occur. Senior leadership in your company should be proactive when laying out a plan in the event of an attack or other breach, however this might not always be the case. No matter what your position is within your company, there are preemptive actions you can take on a regular basis to ensure that you’re adequately prepared. If you’re in an Ops team, make sure you’re encouraging your team to test your backups regularly. There’s little use having backups if you’re unable to actually restore from them, as GitLab learned to their detriment earlier in the year. Use simulations and practice runs to ensure that everyone on your team knows what they’re doing, and have a checklist in place for yourself and your colleagues to make sure that nothing gets missed. For example, a DDoS attack may begin with a monitoring alert to let you know your application is slow. Your checklist would start with the initial diagnostics to pinpoint the cause, but as soon as you discover it is a DDoS attack then the security response plan should take over. If you happen to be on-call, make sure you’ve got all the tools you need to act promptly to handle the issue. This might involve letting your more senior colleagues know about the issue, as well as requesting appropriate assistance from your security vendors. Communication is always one of the deciding factors in whether a crisis can be contained effectively. As a developer or operations specialist, it’s important to be vocal with your managers about any lack of clarity in your plan, and ensure that there are clear lines of communication and responsibility so that, when the worst does occur, you and your colleagues feel clear to jump into action quickly. Remember your limits It might sound obvious, but it’s worth remembering: in a cyber attack or catastrophic incident, there is only so much you yourself can do. Too many developers and operations staff fall prey to a culture of being ‘superheroes’, encouraged (often through beer and pizza) to stay as late as they can and work as long as possible on fixes to particular issues. The truth is, humans make mistakes. Amazon’s recent AWS S3 outage is a good example: swathes of the internet were taken offline due to one typo. If you’re on-call while a cyber attack occurs there’s no denying you’re likely to work long hours at odd times of the day, and this can put a real strain on you, both mentally and physically. This strain can make it much harder for you to actually concentrate on what you’re doing, and no amount of careful contingency planning can compensate for that. At Server Density we’re keenly aware that employee health and well being is critical to maintaining business infrastructure, especially in the event of a crisis. That’s why we support movements like HumanOps, which promote a wider awareness of the importance of employee health, from the importance of taking regular breaks to ergonomic keyboards. All too often people working in IT forget that the most business-critical hardware they look after isn’t servers or routers, it’s the health and well being of the people on the front lines looking after these systems. Cyber attacks are stressful on everyone working in an organisation, and the IT teams take the brunt of the strain. However, with careful planning, clear lines of delegation and an appreciation of the importance of looking after each other’s health, developers and operations specialists should be able to weather the storm effectively and recover business assets effectively. Source: https://jaxenter.com/can-prepare-cyber-attack-133447.html

Read More:
How can you prepare for a cyber attack?

Locky ransomware makes a comeback, courtesy of Necurs botnet

The Necurs botnet has, once again, begun pushing Locky ransomware on unsuspecting victims. The botnet, which flip-flops from sending penny stock pump-and-dump emails to booby-trapped files that lead to malware (usually Locky or Dridex), has been spotted slinging thousand upon thousand of emails in the last three or four days. “Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky,” Cisco Talos researchers noted on … More ?

Continued here:
Locky ransomware makes a comeback, courtesy of Necurs botnet

Linksys Routers Vulnerable to DDoS Attack

Flaws in the routers’ firmware could let hackers access configuration settings and execute remote commands. Linksys said it’s working on a patch. Linksys this week identified several vulnerabilities in its router firmware that allow hackers to bypass authentication and perform denial of service (DDoS) attacks. The company said it is working on a fix for the vulnerabilities, which were discovered by security researchers at IOActive in January and affect more than two dozen models of Linksys wireless routers in the WRT and EAxxx series. IOActive found 10 separate issues in the Linksys firmware, including high-risk vulnerabilities that could let hackers exploit routers using default credentials to log in, view router settings, and execute remote commands. “Two of the security issues we identified allow unauthenticated attackers to create a Denial-of-Service (DoS) condition on the router,” IOActive researcher Tao Sauvage wrote in a blog post. “By sending a few requests or abusing a specific API, the router becomes unresponsive and even reboots. The Admin is then unable to access the web admin interface and users are unable to connect until the attacker stops the DoS attack.” The vulnerabilities, which are similar to those found in many other Internet of Things (IoT) devices, are particularly worrisome because they could be used in future attacks of the sort that took large swaths of the internet offline for several hours last fall. Sauvage said that “11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year’s Mirai Denial of Service (DoS) attacks.” Linksys published a full list of the router models that are affected, and suggested that owners change the default password for their administrator account. The company said it is working to provide a firmware update for all of the affected models, but didn’t offer details on when it would be ready. Source: http://www.pcmag.com/news/353228/linksys-routers-vulnerable-to-ddos-attacks

View post:
Linksys Routers Vulnerable to DDoS Attack

Should we worry the general election will be hacked?

“Brexit vote site may have been hacked” warned the headlines last week after a Commons select committee published its report into lessons learned from the EU referendum. The public administration and constitutional affairs committee (Pacac) said that the failure of the voter registration website, which suffered an outage as many people tried to sign to vote up at the last minute in 2016, “had indications of being a DDoS ‘attack’”. It said it “does not rule out the possibility that the crash may have been caused … using botnets”. In the same paragraph it mentioned Russia and China. It said it “is deeply concerned about these allegations about foreign interference”. With a general election just seven weeks away, how worried should we be about foreign interference this time round? Labour MP Paul Flynn, who sits on the Pacac, certainly thinks we should be worried – although closer inspection of the report finds that, beyond the headlines, there’s a startling lack of evidence for those particular fears. In reality, a DDoS – “distributed denial of service” – attack is the bombarding of a server with requests it can’t keep up with, causing it to fail. Not only is it not actually hacking at all, but it also looks rather similar to when a lot of people at once try to use a server that doesn’t have the capacity. Given the history of government IT projects, some might favour this more prosaic explanation of why the voter registration website went offline. And that’s just what the Cabinet Office did say: “It was due to a spike in users just before the registration deadline. There is no evidence to suggest malign intervention.” So perhaps we shouldn’t fear that kind of attack, but hacking elections takes many forms. The University of Oxford’s Internet Institute, found a huge number of Twitter bots posting pro-Leave propaganda in the run up to the EU referendum. At least, that was how it was widely reported. The actual reportreveals the researchers can’t directly identify bots – they just assume accounts that tweet a lot are automated – and admit “not all of these users or even the majority of them are bots”. But the accuracy, or inaccuracy, of the research aside, there’s a bigger issue. What the Oxford Internet Institute never says is that there’s no evidence bots tweeting actually affects how anyone votes. Bots generally follow people – we’re all used to those suggestive female avatars in our notifications feeds – but people don’t really follow bots back. So when they push out propaganda, is there anyone there to see it? Of course, en masse, those bots can affect the trending topics. But getting “#Leave” trending is not the same as controlling the messaging around it, and Twitter’s algorithm explicitly tries to mitigate against such gaming of the system. And again there’s the question: who looks at tweets via the trending topics tab anyway (except perhaps journalists looking for something to pad out a listicle)? Fake news, the last of the unholy trinity, is a harder problem. We know it exists, and we know it gets in front of many people via social media sites like Facebook. We don’t really know how much it affects people and how much people see it for what it is – but the history of untrue stories in the tabloid press on topics like migration does lend weight to the idea that fake news can influence opinion. What is and isn’t fake news is a contested field. At one end of the spectrum, mainstream publications report inaccurate stories about flights full of Romanians and Bulgarians heading for the UK. At the other, teenagers in Macedonia run pro-Trump websites where the content is pure invention. Most would agree the latter is fake news, even if not the former. But this is a different problem to DDoS attacks or bot armies. The Macedonian teens aren’t ideologically driven by wanting Trump in the White House, they’re motivated by the advertising revenue their well-shared stories can earn. Even when fake news is created for propaganda rather than profit, there’s rarely a shadowy overlord pulling the strings – and bad reporting is some distance away from hacking the election. While there’s a strong case that foreign actors have tried to influence elections in other countries – such as the DNC hack in the US – we probably don’t need to worry unduly about cyberattacks swinging the UK election. Besides: why would a foreign state bother? We’ve already got a divided country struggling with its own future without any need for outside interference. Source: https://www.theguardian.com/technology/2017/apr/20/uk-general-election-2017-hacking-ddos-attacks-bots-fake-news

More:
Should we worry the general election will be hacked?

Flaws found in Linksys routers that could be used to create a botnet

Engineers working on firmware updates Multiple models of Linksys Smart Wi-Fi Routers have vulnerabilities that might be exploited to create a botnet, security researchers at IOActive warn.…

See original article:
Flaws found in Linksys routers that could be used to create a botnet

IoT malware clashes in a botnet territory battle

The Hajime malware is competing with the Mirai malware to enslave some IoT devices Mirai — a notorious malware that’s been enslaving IoT devices — has competition. A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers. “You can almost call it Mirai on steroids,” said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS) attacks. Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it’s been spreading unabated and creating a botnet. Webb estimates it’s infected about 100,000 devices across the globe. These botnets, or networks of enslaved computers, can be problematic. They’re often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure. That’s how the Mirai malware grabbed headlines last October. A DDoS attackfrom a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S. Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious. Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations and then transferring a malicious program. However, Hajime doesn’t take orders from a command-and-control serverlike Mirai-infected devices do. Instead, it communicates over a peer-to-peernetwork built off protocols used in BitTorrent, resulting in a botnet that’s more decentralized — and harder to stop. “Hajime is much, much more advanced than Mirai,” Webb said. “It has a more effective way to do command and control.” Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts. Hajime infection attempts (blue) vs Mirai infection attempts (red), according to a honeypot from security researcher Vesselin Bontchev. Who’s behind Hajime? Security researchers aren’t sure. Strangely, they haven’t observed the Hajime botnet launching any DDoS attacks — which is good news. A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done. “There’s been no attribution. Nobody has claimed it,” said Pascal Geenens, a security researcher at security vendor Radware. However, Hajime does continue to search the internet for vulnerable devices. Geenens’ own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said. So the ultimate purpose of this botnet remains unknown. But one scenario is it’ll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud. “It’s a big threat forming,” Geenens said. “At some point, it can be used for something dangerous.” It’s also possible Hajime might be a research project. Or in a possible twist, maybe it’s a vigilante security expert out to disrupt Mirai. So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria’s National Laboratory of Computer Virology. However, there’s another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture. That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware. Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms. That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion. “There’s definitely an ongoing territorial conflict,” said Allison Nixon, director of security research at Flashpoint. To stop the malware, security researchers say it’s best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said. That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired. “It will keep going,” Nixon said. “Even if there’s a power outage, [the malware] will just be back and re-infect the devices. It’s never going to stop.” Source: http://www.itworld.com/article/3190181/security/iot-malware-clashes-in-a-botnet-territory-battle.html

Continue reading here:
IoT malware clashes in a botnet territory battle

CLDAP reflection attacks may be the next big DDoS technique

Security researchers discovered a new reflection attack method using CLDAP that can be used to generate destructive but efficient DDoS campaigns. DDoS campaigns have been growing to enormous sizes and a new method of abusing CLDAP for reflection attacks could allow malicious actors to generate large amounts of DDoS traffic using fewer devices. Jose Arteaga and Wilber Majia, threat researchers for Akamai, identified attacks in the wild that used the Connection-less Lightweight Directory Access Protocol(CLDAP) to perform dangerous reflection attacks. “Since October 2016, Akamai has detected and mitigated a total of 50 CLDAP reflection attacks. Of those 50 attack events, 33 were single vector attacks using CLDAP reflection exclusively,” Arteaga and Majia wrote. “While the gaming industry is typically the most targeted industry for [DDoS] attacks, observed CLDAP attacks have mostly been targeting the software and technology industry along with six other industries.” The CLDAP reflection attack method was first discovered in October 2016 by Corero and at the time it was estimated to be capable of amplifying the initial response to 46 to 55 times the size, meaning far more efficient reflection attacks using fewer sources. The largest attack recorded by Akamai using CLDAP reflection as the sole vector saw one payload of 52 bytes amplified to as much as 70 times the attack data payload (3,662 bytes) and a peak bandwidth of 24Gbps and 2 million packets per second. This is much smaller than the peak bandwidths of more than 1Tbps seen with Mirai, but Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said this amplification factor can allow “a user with low bandwidth [to] DDoS an organization with much higher bandwidth.” “CLDAP, like DNS DDoS, is an amplification DDoS. The attacker has relatively limited bandwidth. By sending a small message to the server and spoofing the source, the server responds to the victim with a much larger response,” Williams told SearchSecurity. “You can only effectively spoof the source of connectionless protocols, so CLDAP is obviously at risk.” Arteaga and Majia said enterprises could limit these kinds of reflection attacks fairly easily by blocking specific ports. “Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place,” Arteaga and Majia wrote in a blog post. “Potential hosts are discovered using internet scans, and filtering User Datagram Protocol destination port 389, to eliminate the discovery of another potential host fueling attacks.” Williams agreed that ingress filtering would help and noted that “CLDAP was officially retired from being on the IETF standards track in 2003” but enterprises using Active Directory need to be aware of the threat. “Active Directory supports CLDAP and that’s probably the biggest reason you’ll see a CLDAP server exposed to the internet,” Williams said. “Another reason might be email directory services, though I suspect that is much less common.” Source: http://searchsecurity.techtarget.com/news/450416890/CLDAP-reflection-attacks-may-be-the-next-big-DDoS-technique

Read more here:
CLDAP reflection attacks may be the next big DDoS technique