FYI, shadowserver has reported connectionless ldap to network owners and national CERTS since november 2016.

73300 vulnerable hosts from what we are seeing in the last scan.
Cool, thanks for the info.

LDAP that isn't properly secured has always been a problem as long as there has been LDAP - what we're seeing happen now is rather than trying to compromise LDAP, attackers are using it to reflect volumetric DDOS attacks. November 2016 sounds about right, attackers would have been looking for the next "post Mirai" DDOS approach about then - with more and more practical (and more widespread) use of those platforms as time goes on

Diary Archives