Windows Servers (including versions 2008, 2012, and 2016) with Active Directory Domain Services have the Lightweight Directory Access Protocol (LDAP) service enabled by default. While crucial for directory operations, a misconfigured LDAP service can be exploited as a reflector in Distributed Denial-of-Service (DDoS) attacks. This guide provides a proactive firewall configuration to block this threat vector without impacting normal Active Directory functionality.
1. LDAP Service and the DDoS Reflection Risk
The LDAP protocol is an application-layer protocol that operates over TCP/IP. It is fundamental to Active Directory, facilitating operations such as authentication (bind), search, and data modification.
The security concern arises from the LDAP service's ability to operate over the connectionless UDP protocol on port 389. Unlike TCP, UDP lacks a handshake mechanism to validate the source of a request. This vulnerability allows attackers to perform LDAP Reflection Attacks:
- An attacker sends a small, spoofed UDP packet to your server's port 389, forging the source IP address to that of their intended victim.
- Your LDAP server responds to this request, sending a significantly larger response to the victim's IP address.
- When multiplied across many exploitable servers, this technique can flood a target with overwhelming traffic.
Crucially, Active Directory's core operations primarily use LDAP over TCP, which is not susceptible to this type of spoofing. Therefore, blocking inbound UDP port 389 is a highly effective security measure that typically has no impact on domain operations.
2. Proactive Mitigation: Blocking LDAP over UDP
The most direct method to prevent your server from being used in such attacks is to create a firewall rule that explicitly blocks inbound UDP traffic on port 389.
3. Step-by-Step Configuration: Creating a Block Rule
Follow these steps to create a new Windows Firewall rule:
- Open Windows Defender Firewall with Advanced Security.
- In the left pane, select Inbound Rules.
- In the right Actions pane, click New Rule....
- The New Inbound Rule Wizard will open. Select the rule type Port and click Next.
- Select UDP and ensure Specific local ports: is selected. Enter
389in the field. Click Next. - Select the action Block the connection and click Next.
- On the Profile screen, ensure all three profiles (Domain, Private, Public) are selected to apply the rule in all network environments. Click Next.
- On the final screen, provide a descriptive name (e.g.,
Block Inbound LDAP UDP) and an optional description. Click Finish to create and activate the rule.
Result: Your server's LDAP service will no longer accept UDP requests on port 389, effectively removing it as a potential amplifier for reflection DDoS attacks. Internal domain services using LDAP over TCP will continue to function normally.
4. Professional Services and Support
Maintaining a secure server configuration is critical. If you require assistance beyond these steps, our security team is available to help.
- Managed Firewall Configuration: Customers with managed services can request this configuration directly via a support ticket.
- 24/7 Expert Support: For any questions regarding this procedure or other security concerns, please contact our support team at support@host-telecom.com.