A public-facing device on your network, running on IP address 144.76.92.212, appears to operate a LDAP service responding on port 389 that participated in a large-scale attack against a customer of ours, generating UDP responses to spoofed requests that claimed to be from the attack target.
Please consider reconfiguring this server in one or more of these ways:
- Adding a firewall rule to block all access to this host’s UDP port 389 at your network edge. (LDAP also uses TCP port 389 by default, and that can be left open without allowing the host to be used for reflection attacks; but, for security reasons, it is usually best to block both 389/TCP and 389/UDP at the network edge.)
- Adding firewall rules to allow connections to this service (on UDP port 389) from authorized endpoints but block connections from all other hosts.
- Disabling LDAP/ActiveDirectory functionality on your system. This would only be appropriate if this is not a service that you make use of. More information on this type of attack can be found at these links: https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf
https://www.scmagazine.com/zero-day-ddos-attack-vector-leverages-ldap-to-amplify-malicious-traffic/article/568309/
https://www.us-cert.gov/ncas/alerts/TA14-017A
http://blog.netlab.360.com/cldap-is-now-the-3rd-reflection-amplified-ddos-attack-vector-surpassing-ssdp-and-chargen-en/ - Example responses from the host during this attack are given below.
Date/timestamps (far left) are UTC. 2019-01-18 00:37:51.441680 IP 144.76.92.212.389 > 66.85.15.x.62814: UDP, length 3060
0x0000: 4500 05dc 42e3 2000 7911 9ab7 904c 5cd4 E…B…y….L.
0x0010: 4255 0f01 0185 f55e 0bfc 20bb 3084 0000 BU…..^….0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-18 00:37:51.478071 IP 144.76.92.212.389 > 66.85.15.x.25952: UDP, length 3060
0x0000: 4500 05dc 42f9 2000 7911 9aa1 904c 5cd4 E…B…y….L.
0x0010: 4255 0f01 0185 6560 0bfc b0b9 3084 0000 BU….e`….0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-18 00:37:51.505642 IP 144.76.92.212.389 > 66.85.15.x.22333: UDP, length 3060
0x0000: 4500 05dc 4310 2000 7911 9a8a 904c 5cd4 E…C…y….L.
0x0010: 4255 0f01 0185 573d 0bfc bedc 3084 0000 BU….W=….0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-18 00:37:51.511201 IP 144.76.92.212.389 > 66.85.15.x.29183: UDP, length 3060
0x0000: 4500 05dc 4311 2000 7911 9a89 904c 5cd4 E…C…y….L.
0x0010: 4255 0f01 0185 71ff 0bfc a41a 3084 0000 BU….q…..0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-18 00:37:51.521067 IP 144.76.92.212.389 > 66.85.15.x.51486: UDP, length 3060
0x0000: 4500 05dc 431c 2000 7911 9a7e 904c 5cd4 E…C…y..~.L.
0x0010: 4255 0f01 0185 c91e 0bfc 4cfb 3084 0000 BU……..L.0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19
2019-01-18 00:37:51.562003 IP 144.76.92.212.389 > 66.85.15.x.19633: UDP, length 3060
0x0000: 4500 05dc 4336 2000 7911 9a64 904c 5cd4 E…C6..y..d.L.
0x0010: 4255 0f01 0185 4cb1 0bfc c968 3084 0000 BU….L….h0…
0x0020: 0bd8 0201 0764 8400 000b cf04 0030 8400 …..d…….0..
0x0030: 000b c730 8400 0000 2604 0b63 7572 7265 …0….&..curre
0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1…….20
0x0050: 3139 19 (The final octet of our customer’s IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is «1».) -John
President
Nuclearfallout, Enterprises, Inc. (NFOservers.com) (We’re sending out so many of these notices, and seeing so many auto-responses, that we can’t go through this email inbox effectively. If you have follow-up questions, please contact us at noc@nfoe.net.)