Industry Sector: Education
Attack Methodology: DDoS Attack (LDAP)

What happened?

In this case study we take a look at a school who suffered a sustained Distributed Denial of Service (DDoS) attack over a few days.
The school in question was subject to repeated DDoS attacks against their network, specifically identified as an LDAP attack.

LDAP
LDAP (Lightweight Directory Access) is a widely used protocol for directory services on corporate/commercial networks.
A DDoS reflection attack is the practice of sending requests using a spoofed source IP address to various servers on the internet, which in turn will direct their responses to the spoofed address instead of the real sender. The spoofed IP address is that of the intended victim - in this case the school.
The use of the LDAP protocol is detrimental to the victim due to the amplification of traffic: small queries made by the attacker can cause big responses from Internet Servers, which in turn flood the victim.

From a forensic point of view
Unfortunately, scrutinizing the log files of source IPs doesn't always provide many viable means of investigation, as they may well be unsuspecting internet services that are exposing the LDAP port 389.

The perimeter firewalls and web filter hosts of the school were being targeted. Effectively this rendered the school unable to connect to the internet.

During these periods, logs data showed high spikes of between 400 and 700mbps. The school's line was only capable of around 10mpbs.

Remediation
The school had been in regular communication with their Internet Service Provider, which had repeatedly renewed the school's allocated IPs. It was noted that it was the IPs of two of the firewalls that were being targeted, sometimes mere hours after the IP had changed.

Any traffic leaving the school's network would go through one of those filters. (Load-balancing existed on the servers, routing traffic to the least busy).

It was speculated that someone inside the network could have been learning of the updated IP addresses, and correcting their attack accordingly. In this instance, one step suggested was to disable the student BYOD network - this measure is something that educational establishments could consider if faced with a similar situation.

Points to consider

DDoS attacks are often carried out for other motivations besides financial (e.g. 'Hacktivism'). This is important to bear in mind when assessing the threat to your own organisation - are you likely to be specifically targeted by certain actors?

Think about how a lack of connectivity would impact your organisation, then think about how you are going to function if services suddenly become unavailable. In this instance, lack of connectivity impacted teachers' ability to deliver lessons for a couple of days, so they were advised to plan accordingly in case the attack persisted even longer.

PR control

  • Make sure that you have a plan in place to manage any potential media/stakeholder attention resulting from publicly evident attacks.
Smoke screen
  • DDoS attacks are often used as a smoke screen for other attacks.
  • If you have been hit by a DDoS attack, just be aware that different attack vectors may be in play.
For a thorough guide on how to defend against DoS attacks, use the guide from the NCSC found on their website at https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection.

 If you or your organisation have been a victim of this or any other type of cyber crime, report to Action Fraud, the UK's national cyber crime reporting centre at https://www.actionfraud.police.uk/ or via phone on 0300 123 2040.Action Fraud have a 24/7 reporting capability for live incidents such as DoS attacks.

By using this website you agree to our use of cookies to enhance your experience. I understand

Nuclear Conference

Nuclear South West Conference 2019

The Somerset Cyber Group (with BLUELOOP being one of the members) will be exhibiting at the upcoming Nuclear South West Conference 2019 at The McMillan Theatre, Bridgwater on 2nd and 3rd October 2019.

With a theme of ‘Bringing Innovation to Nuclear’, this two-day showcase and conference highlights current and future opportunities in New Build, Decommissioning, Defence and new technologies, including SMRs. 

Our team will be on hand to discuss basic steps in good Cyber Security practice to ensure that all members of the supply chains, no matter how large or small, can ensure that they aren’t the weakest link.

For more information visit: https://nuclearsouthwest.co.uk/events or to book, visit: https://lnkd.in/dGfZ5Dz