none
WSE2016 and Reflective ddos on port 389 RRS feed

  • Question

  • Our 25 user Icewarp mail server is running on an old Core2Duo w/8gb RAM with 10mb/s up/down connection. Within days of coming online I could no longer remote to the box. After determining that our host was not the cause of the bandwidth issue, I began diagnosing my traffic with Wireshark. My outbound connection was being saturated by CLDAP traffic on port 389.

    OK, so now I know whats eating my bandwidth...but what is it? Found little or nothing on the MS forums (that's why I'm back here) but eventually got schooled on reflective ddos.

    Since my MSE16 is a standalone company mail server, it has no other machine, AD or otherwise, to talk to. I've killed all AD, DNS, IIS service on the box (works fine, thank you MS) and blocked port 389 TCP/UDP in and out from all IPs. 

    My outbound traffic has gone from >20mb/s to <50kb/s!! 

    Amazing that this box was online at a new IP (young startup host) and within two days the bot spiders had found it and were using it. If I had been running on a big i7 with 100 mb/s connection, it's likely I would not have spotted this.

    Good article on reflective ddos....

    https://www.a10networks.com/blog/how-defend-against-amplified-reflection-ddos-attacks/

    Friday, June 7, 2019 6:51 PM

All replies