C. OBIMBO ET AL.
156
of LDAP. The two flaws presented are not design flaws
of the protocol, rather implementation flaws due to in-
creases in functionality.
4.1. Issues
The first problem with LDAP is the fact that it is an ac-
tive directory. This means that it (the LDAP server) is
constantly being inundated with new queries. An authen-
tication service should never have more traffic than
necessary. Since LDAP services provide more than just
authentication, LDAP is a poor candidate as an authenti-
cator. There are three measures that can be taken to bet-
ter protect an organizations LDAP server(s).
1) Only bind to connections for authentication that are
inside an organization’s IP range and on a known ho sts
list
2) Bind all blind authentication connections to a
second physical LDAP server that is a clone of the di-
rectory tree for the scope of a blind authentication
3) If allowing connections from the Internet, only al-
low blind authentication
The first measure ensures that only known clients in-
side the network have access to the directory for authen-
tication and privileged querying. The second measure
ensures that all non-critical traffic hitting the LDAP
server is directed at a clone server instead ensuring data
integrity. The final measure is ensured by the second
measure that all Internet traffic is by policy sent to the
clone server. With proper security policies set up inter-
nal attacks can also be traced easier and shut down
faster since the abuse can be logged through internal
networks.
The second flaw of LDAP is that since it was designed
first for directory access, security was appended to the
design, and not initially supported. As a result passwords
can be sent over networks in plain-text. Any authentica-
tion service that allows transmission plain-text pass-
words of or stores plain-text passwords is not suited for
use given computing in the 21st Century. Although v3 of
the protocol allows TLS sessions [6], the use of such
security has not fully carried over due to historic security
policies using the obsolete SSL-session method, which
can be easily compromised by SSL certificate spoofing
[19]. There are also three precautions that can be taken
for the second flaw in LDAP.
1) Not allowing plain-text passwords to be used for
authentication; hash them with at least SHA-256
2) Using the TLS service LDAP supports
3) Having all authentication connections connect to
server through a virtual private network (VPN)
Of course one could try and implement all of the
above safe-gaurds but it would be much easier to use
software designed for authentication. Due to the required
extra policies needed to combat denial-of-service attacks,
LDAP does not make a good authentication provider.
4.2. Alternative Authentication Services
As discussed previously in section 4.1, LDAP is a poor
choice for authenticating users and entities. One service
already described above is Kerberos. It is worth men-
tioning due to the fact that it is present in several systems
including the BSD operating system and the X Window
System [20]. Many other operating systems use a variant
of Kerberos.
Kerberos incorporates the use of strong cryptography
in order to ensure the confidentiality of authentication
credentials. Kerberos is often used in conjunction with a
LDAP server that only allows access from connections
where an authentication ticket has been granted. Tickets
are authentication tokens that verify a users identity to
the requested service and tells the user where to create a
connection with the service requested.
5. Conclusions
We have shown that the use of LDAP software in its
current state is not suitable as an authentication service.
In Section 3 the attack proposed was successful at caus-
ing denial-of-service due to SYN flooding and was thus
able to render the LDAP service disrupted. In Section 3.2
it was argued that due to the fact authentication is a
critical service a successful DoS attack is highly effec-
tive.
Section 4.1 brought forth two fundamental flaws of
LDAP. They included protecting LDAP servers from
DoS attacks and protecting user passwords from being
discovered over a network. Finally section 4.2 suggested
the use of Kerberos as an alternative authentication ser-
vice to LDAP.
Attack Definition
The characteristics of the attack prompt the use of a bet-
ter-suited definition: denial-of-dependent-services or DoDS.
Denial-of-dependent-services is a planned denial-of-
service attack on a service with the intension to disrupt
dependent services. This type of attack attempts to opti-
mize the services denied while minimizing its (the at-
tackers) targets. An example of an infrastructure that
would be susceptible to this attack is central authentica-
tion services.
6. References
[1] J. M. Alonso, R. Bordon, M. Beltran and A. Guzman,
Copyright © 2011 SciRes. JIS