A public-facing device on your network, running on IP address 144.76.92.254, appears to operate a LDAP service responding on port 389 that participated in a large-scale attack against a customer of ours, generating UDP responses to spoofed requests that claimed to be from the attack target.
Please consider reconfiguring this server in one or more of these ways:
- Adding a firewall rule to block all access to this host’s UDP port 389 at your network edge. (LDAP also uses TCP port 389 by default, and that can be left open without allowing the host to be used for reflection attacks; but, for security reasons, it is usually best to block both 389/TCP and 389/UDP at the network edge.)
- Adding firewall rules to allow connections to this service (on UDP port 389) from authorized endpoints but block connections from all other hosts.
- Disabling LDAP/ActiveDirectory functionality on your system. This would only be appropriate if this is not a service that you make use of. More information on this type of attack can be found at these links: https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf
https://www.scmagazine.com/zero-day-ddos-attack-vector-leverages-ldap-to-amplify-malicious-traffic/article/568309/
https://www.us-cert.gov/ncas/alerts/TA14-017A
http://blog.netlab.360.com/cldap-is-now-the-3rd-reflection-amplified-ddos-attack-vector-surpassing-ssdp-and-chargen-en/ Example responses from the host during this attack are given below.
Date/timestamps (far left) are UTC. 2019-01-24 13:33:19.295340 IP 144.76.92.254.389 > 162.248.94.x.56225: UDP, length 3060
0x0000: 4500 05dc 0e74 2000 7911 1f3f 904c 5cfe E….t..y..?.L.
0x0010: a2f8 5e1b 0185 dba1 0bfc 8699 3084 0000 ..^………0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-24 13:33:19.741580 IP 144.76.92.254.389 > 162.248.94.x.52806: UDP, length 3060
0x0000: 4500 05dc 0e8e 2000 7911 1f25 904c 5cfe E…….y..%.L.
0x0010: a2f8 5e1b 0185 ce46 0bfc 93f3 3084 0000 ..^….F….0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-24 13:33:20.349909 IP 144.76.92.254.389 > 162.248.94.x.10302: UDP, length 3060
0x0000: 4500 05dc 0eb3 2000 7911 1f00 904c 5cfe E…….y….L.
0x0010: a2f8 5e1b 0185 283e 0bfc 39fc 3084 0000 ..^…(>..9.0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-24 13:33:20.426988 IP 144.76.92.254.389 > 162.248.94.x.56225: UDP, length 3060
0x0000: 4500 05dc 0eb8 2000 7911 1efb 904c 5cfe E…….y….L.
0x0010: a2f8 5e1b 0185 dba1 0bfc 8698 3084 0000 ..^………0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-24 13:33:20.481382 IP 144.76.92.254.389 > 162.248.94.x.10302: UDP, length 3060
0x0000: 4500 05dc 0ebb 2000 7911 1ef8 904c 5cfe E…….y….L.
0x0010: a2f8 5e1b 0185 283e 0bfc 39fc 3084 0000 ..^…(>..9.0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19 (The final octet of our customer’s IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is «27».) -John
President
Nuclearfallout, Enterprises, Inc. (NFOservers.com) (We’re sending out so many of these notices, and seeing so many auto-responses, that we can’t go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)
