Hello, welcome to the Wednesday, September 2nd, 2020 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

One of our honeypots today received a number of responses, actually, that were likely of a side effect, maybe some spillover from

recent denial of service attacks. There have been a number of very high volume denial of

service attacks recently. While these type of attacks are not as much in the news anymore

as they used to be a couple years ago,

recently they have been picking up and one particular type of attack that has sort of been thrown into the mix more than in the past is LDAB amplification attacks.

Similar to many of the other UDP-based attacks,

a small L-DAP request that is spoofed

can cause a large response to be sent to a victim.

Now with LDAB, not really being a protocol

that should be used across the internet regularly,

it's a little bit easier to defend against them than against, let's say, DNS attacks,

but recently these attacks have reached about a terabit per second and more in some cases. So what we saw in our honeypots was these responses coming back without our honeypots actually

sending requests out.

So I expect by accident with all of the traffic happening there, someone did spoof a couple

packets from the wrong IP address, and as a result,

we saw the responses coming back. We looked a little bit closer into the origins of these

responses, and one thing we found somewhat regularly as far as we could tell, you couldn't

really always tell based on the response,

but these responses came from active directory servers,

so domain controllers that people had exposed to the Internet.

...