Industry Sector: Education
Attack Methodology: DDoS Attack (LDAP)
In this case study we take a look at a school who suffered a sustained Distributed Denial of Service (DDoS) attack over a few days.
The school in question was subject to repeated DDoS attacks against their network, specifically identified as an LDAP attack.
LDAP (Lightweight Directory Access) is a widely used protocol for directory services on corporate/commercial networks.
A DDoS reflection attack is the practice of sending requests using a spoofed source IP address to various servers on the internet, which in turn will direct their responses to the spoofed address instead of the real sender. The spoofed IP address is that of the intended victim - in this case the school.
The use of the LDAP protocol is detrimental to the victim due to the amplification of traffic: small queries made by the attacker can cause big responses from Internet Servers, which in turn flood the victim.
From a forensic point of view
Unfortunately, scrutinizing the log files of source IPs doesn't always provide many viable means of investigation, as they may well be unsuspecting internet services that are exposing the LDAP port 389.
The perimeter firewalls and web filter hosts of the school were being targeted. Effectively this rendered the school unable to connect to the internet.
During these periods, logs data showed high spikes of between 400 and 700mbps. The school's line was only capable of around 10mpbs.
The school had been in regular communication with their Internet Service Provider, which had repeatedly renewed the school's allocated IPs. It was noted that it was the IPs of two of the firewalls that were being targeted, sometimes mere hours after the IP had changed.
Any traffic leaving the school's network would go through one of those filters. (Load-balancing existed on the servers, routing traffic to the least busy).
It was speculated that someone inside the network could have been learning of the updated IP addresses, and correcting their attack accordingly. In this instance, one step suggested was to disable the student BYOD network - this measure is something that educational establishments could consider if faced with a similar situation.
Points to consider
DDoS attacks are often carried out for other motivations besides financial (e.g. 'Hacktivism'). This is important to bear in mind when assessing the threat to your own organisation - are you likely to be specifically targeted by certain actors?
Think about how a lack of connectivity would impact your organisation, then think about how you are going to function if services suddenly become unavailable. In this instance, lack of connectivity impacted teachers' ability to deliver lessons for a couple of days, so they were advised to plan accordingly in case the attack persisted even longer.
- Make sure that you have a plan in place to manage any potential media/stakeholder attention resulting from publicly evident attacks.
- DDoS attacks are often used as a smoke screen for other attacks.
- If you have been hit by a DDoS attack, just be aware that different attack vectors may be in play.
If you or your organisation have been a victim of this or any other type of cyber crime, report to Action Fraud, the UK's national cyber crime reporting centre at https://www.actionfraud.police.uk/ or via phone on 0300 123 2040.Action Fraud have a 24/7 reporting capability for live incidents such as DoS attacks.