CLDAP reflectors are rising as a multi-vector DDoS mechanism, leveraging UDP reflection to amplify traffic and complicate mitigation. Black Lotus Labs tracks open CLDAP reflectors, analyzes their behavior, and provides guidance on reducing exposure and blocking long-lived reflectors. #CLDAP #DDoS #LDAP #ActiveDirectory
Keypoints
- CLDAP reflectors are on the rise again, with a more than 60% increase in open reflectors over the last 12 months (7K to 12K).
- CLDAP is a UDP reflection vector with a high bandwidth amplification factor (BAF) of 56–70x, easily adding traffic to a DDoS attack when open reflectors are abused.
- Open CLDAP reflectors can be accidental or intentional deployments; some are long-lived and reused across multiple DDoS campaigns, increasing attacker impact.
- Geographic distribution shows the U.S. and Brazil as primary hotspots, with a global spread and older reflectors more frequently reused.
- Top talker profiles include reflectors hosting MS Domain Controllers with Active Directory, DNS reflection, and services like RDP/SMB, often exhibiting bot-like behavior and connections to known C2s.
- Mitigation guidance includes not exposing 389/UDP CLDAP publicly, moving to TCP LDAP where possible, rate-limiting, firewalling, and implementing anti-spoofing measures (RPF/MANRS).
- Collaboration and notification efforts are emphasized to inform owners of vulnerable CLDAP services and curb long-lived reflector traffic on the Lumen backbone.
MITRE Techniques
- [T1499] Denial of Service – Use of CLDAP reflectors to amplify UDP traffic and overwhelm targets. “CLDAP reflectors reliably add traffic volume to the DDoS recipe.”
- [T1021] Remote Services – Exploitation potential through RDP and SMB services exposed on CLDAP reflectors, enabling bot takeover or misuse. “open to DNS reflection, and running RDP and SMB services vulnerable to exploitation.”
- [T1071] Command and Control – Reflectors exhibit bi-directional communications with confirmed C2s for multiple malware families. “bi-directional communications with confirmed C2s for multiple malware families.”
- [T1071.004] DNS – CLDAP reflectors are also tagged as open DNS reflectors, reflecting use of DNS as part of the attack ecosystem. “open DNS reflector” quoted content.
Indicators of Compromise
- [Port] 389/UDP – CLDAP reflection port used by open CLDAP reflectors to generate amplification traffic (context: primary UDP vector).
- [IP Address] North American telecom-associated reflector IP – long-lived reflector observed directing multi-Gbps traffic to various targets (context: example of a top-performing reflector).
- [IP Address] Religious organization reflector IP – reflector with high traffic spikes and multi-service exposure (context: open to DNS reflection and bot-like behavior).