The attack on AWS was a CLDAP reflection-based attack, and was 44 percent larger than anything the cloud provider has seen before, it said in a Q1 AWS Shield threat landscape report [pdf] seen this week.
AWS did not cite an apparent motive, but noted that attacks spike when a new vector is discovered by attackers.
Reflection attacks abuse legitimate protocols, by sending a request to a third-party server, using a spoofed IP address.
The response is much larger in size and is returned to the spoofed IP address of the unwitting victim. (Security firm Akamai in 2017 found that 78,071 of hosts responded with 1,500+ bytes of data to an initial 52 byte query).
CLDAP reflection attacks abuse the connectionless version of the Lightweight Directory Access Protocol (LDAP).
AWS weathered this attack, its threat report shows, but it comes after the public cloud giant saw services knocked offline in October 2019 by a DDoS attack on its DNS service.
What Else’s is Being Used to Attack the Cloud?
The report also highlights the four most prominent (malicious) “interaction types” used to try and hack services running on AWS in Q1.
There were 41 million attempts made to compromise services using these four techiques along during the quarter: 31 percent of all events.
Without naming explicit CVEs, AWS points to:
• “Docker unauthenticated RCE, where the suspect attempts to exploit a Docker engine API to build a container, without authorization.
• “SSH intrusion attempts, where the suspect looks for ways to gain unauthorized access to the application using commonly used credentials or other exploits.
• “Redis unauthenticated RCE, where the suspect attempts to exploit the API of a Redis database to gain remote access to the application, gain access to the contents of the database, or make it unavailable to end users.
• “Apache Hadoop YARN RCE, where the suspect attempts to exploit the API of a Hadoop cluster’s resource management system and execute code, without authorization.
The report notes: “The motivation of an attacker can vary. Individual interactions may result from an attacker with a specific goal that related to the targeted application. The higher volume interactions are motivated by control of compute and network resources at scale for purposes like cryptocurrency mining, DDoS attacks, or data exfiltration.
“The frequency of interaction with an application depends on factors like its prevalence on the Internet, availability of unpatched RCE vulnerabilities, and the likelihood that application owners have effectively restricted access to those applications”, it concludes.