Litcius/Paper detail

Deceptive directories and “vulnerable” logs: a honeypot study of the LDAP and log4j attack landscape

Shreyas Srinivasa, Jens Myrup Pedersen, Emmanouil Vasilomanolakis

202218 citationsDOIOpen Access PDF

Abstract

The Lightweight Directory Access Protocol (LDAP) has been widely used to query directory services. It is mainly utilized for reading, writing, and searching directory services like the Active Directory. The vast adoption of LDAP for authentication has entailed several attack attempts like injection attacks and unauthorized access due to third-party key storage. Furthermore, recent vulnerabilities discovered in libraries like the Log4j can lead adversaries to obtain unauthorized information from the directory services through pivoting attacks. Moreover, the LDAP can be configured to operate on UDP, motivating adversaries to exploit it for Distributed Reflection Denial of Service attacks (DRDoS). This paper presents a study of attacks on the LDAP by deploying honeypots that simulate multiple profiles that support the LDAP service and correlating the attack datasets obtained from honeypots deployed by the Honeynet Project community. We observe a total of 39,388 malicious events targeting the honeypots and discover 273 unique attack sources performing pivot attacks in a period of one month.

Topics & Concepts

Lightweight Directory Access ProtocolDirectory serviceHoneypotDirectoryComputer scienceComputer securityDenial-of-service attackAuthentication (law)Service (business)ExploitWorld Wide WebDatabaseComputer networkThe InternetOperating systemEconomyEconomicsNetwork Security and Intrusion DetectionInternet Traffic Analysis and Secure E-votingSecurity and Verification in Computing