A public-facing device on your network, running on IP address 144.76.92.212, appears to operate a LDAP service responding on port 389 that participated in a large-scale attack against a customer of ours, generating UDP responses to spoofed requests that claimed to be from the attack target.
Please consider reconfiguring this server in one or more of these ways:
1. Adding a firewall rule to block all access to this host’s UDP port 389 at your network edge. (LDAP also uses TCP port 389 by default, and that can be left open without allowing the host to be used for reflection attacks; but, for security reasons, it is usually best to block both 389/TCP and 389/UDP at the network edge.)
2. Adding firewall rules to allow connections to this service (on UDP port 389) from authorized endpoints but block connections from all other hosts.
3. Disabling LDAP/ActiveDirectory functionality on your system. This would only be appropriate if this is not a service that you make use of.
More information on this type of attack can be found at these links:
https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf
https://www.scmagazine.com/zero-day-ddos-attack-vector-leverages-ldap-to-amplify-malicious-traffic/article/568309/
https://www.us-cert.gov/ncas/alerts/TA14-017A
http://blog.netlab.360.com/cldap-is-now-the-3rd-reflection-amplified-ddos-attack-vector-surpassing-ssdp-and-chargen-en/
Example responses from the host during this attack are given below.
Date/timestamps (far left) are UTC.
2019-01-24 13:33:35.366316 IP 144.76.92.212.389 > 162.248.94.x.65114: UDP, length 3060
0x0000: 4500 05dc 48b6 2000 7911 e526 904c 5cd4 E…H…y..&.L\.
0x0010: a2f8 5e1b 0185 fe5a 0bfc 610e 3084 0000 ..^….Z..a.0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-24 13:33:35.466309 IP 144.76.92.212.389 > 162.248.94.x.52806: UDP, length 3060
0x0000: 4500 05dc 48bb 2000 7911 e521 904c 5cd4 E…H…y..!.L\.
0x0010: a2f8 5e1b 0185 ce46 0bfc 9122 3084 0000 ..^….F…»0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-24 13:33:35.954000 IP 144.76.92.212.389 > 162.248.94.x.65114: UDP, length 3060
0x0000: 4500 05dc 48da 2000 7911 e502 904c 5cd4 E…H…y….L\.
0x0010: a2f8 5e1b 0185 fe5a 0bfc 610d 3084 0000 ..^….Z..a.0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-24 13:33:36.144411 IP 144.76.92.212.389 > 162.248.94.x.56225: UDP, length 3060
0x0000: 4500 05dc 48e5 2000 7911 e4f7 904c 5cd4 E…H…y….L\.
0x0010: a2f8 5e1b 0185 dba1 0bfc 83c6 3084 0000 ..^………0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-24 13:33:36.210747 IP 144.76.92.212.389 > 162.248.94.x.10302: UDP, length 3060
0x0000: 4500 05dc 48e8 2000 7911 e4f4 904c 5cd4 E…H…y….L\.
0x0010: a2f8 5e1b 0185 283e 0bfc 372a 3084 0000 ..^…(>..7*0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-24 13:33:36.278150 IP 144.76.92.212.389 > 162.248.94.x.10302: UDP, length 3060
0x0000: 4500 05dc 48ed 2000 7911 e4ef 904c 5cd4 E…H…y….L\.
0x0010: a2f8 5e1b 0185 283e 0bfc 372a 3084 0000 ..^…(>..7*0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
(The final octet of our customer’s IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is «27».)
-John
President
Nuclearfallout, Enterprises, Inc. (NFOservers.com)
(We’re sending out so many of these notices, and seeing so many auto-responses, that we can’t go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)