In 2018 we saw a significant increase in reports of amplification attacks that take advantage of the LDAP protocol over UDP (CLDAP).  This attack queries LDAP servers for large results using a fake source address. This request causes the response to go back to the faked address, resulting in a large amount of data being sent to a computer that did not request it. This effect, when used with thousands of LDAP servers, directs a very large amount of traffic to a single IP to form an efficient distributed attack.

Most LDAP servers and clients use the TCP protocol, which prevents amplification because of a connection handshake that verifies the source and destination can communicate with one another.  UDP does not perform this verification, so the LDAP server can be convinced to send traffic to a destination that is unverified.

The easiest way to solve this issue is to enable a firewall on your server that blocks the LDAP port 389 from being accessed via UDP.  LDAP is most commonly used on Windows servers running Active Directory services.  If you have a program that is using LDAP via UDP from another server, you should add a firewall exception to allow that application to continue to work, or change that application to use LDAP over TCP.  LDAP may also be running with encryption (LDAPS) on port 636, but this protocol only supports TCP.

To disable access to LDAP over UDP if you do not have any servers that access it, follow these steps:

1. Right click on Start, then click Run and type "wf.msc" click "OK"
2. Click on the "Inbound Rules" option on the left side of the window.
3. Locate the rule called "Active Directory Domain Controller - LDAP (UDP-In)"
4. Right click on the rule and select "Disable Rule"

If you need to allow access to LDAP from other servers, follow these steps:

1. Right click on Start, then click Run and type "wf.msc" click "OK"
2. Click on the "Inbound Rules" option on the left side of the window.
3. Locate the rule called "Active Directory Domain Controller - LDAP (UDP-In)"
4. Right click on the rule and select "Properties"
5. Click on the "Scope" tab
6. Under the "Remote IP address" section, select the option "These IP addresses:"
7. For each IP address or range that should have access, click "Add..." and enter the correct ranges.
8. Once you have entered all the ranges that should have access, click "OK" to save the rule.

If you wish to restrict the LDAP over TCP or the Secure LDAP service for security reasons, you may also wish to modify these rules using the same steps above:

• Active Directory Domain Controller - LDAP (TCP-In)
• Active Directory Domain Controller - Secure LDAP (TCP-In)

If you are running an LDAP server on Linux, you should modify your LDAP server configuration in accordance with its documentation to disable or restrict LDAP over UDP, or configure your system firewall accordingly.  Steadfast does not currently support any standalone LDAP servers or any products with an exposed LDAP server.

For advice on how to adjust a server to prevent LDAP amplification or limit the IP ranges that can make LDAP queries, or any other questions about the topics discussed in this article, please visit our Help Desk or email us. LDAP configuration on Windows servers is covered under managed services.