When using Windows Server 2008, 2012 or 2016, a LDAP-service will be active by default. LDAP is a protocol used for gaining access to a directory / service, although this is a very basic description of the applications LDAP is used for.
It is however possible for external parties to abuse the LDAP-service by performing a so called 'reflection attack'. This is done via an UDP-connection on port 389. To prevent these sort of outgoing attacks you can block UDP connections on port 389 in your VPS's firewall. Blocking these type of connections should not have any effect when using 'Active Directory' as that connects through TCP.
- Open the 'Server Manager', select 'Tools' and select the option 'Windows Firewall with Advanced Security' from the drop down menu.
- Select the 'Inbound Rules' on the left hand side.
- Now click 'New Rule...' in the top right corner.
- Select 'Port' and press Next >.
- Select 'UDP' and enter 389 at 'Specific local ports'.
- Now select the option labelled 'Block the connection' and press Next >.
- In the 'Profile' screen it's important that at least both 'Public' and 'Domain' are selected. Deselect 'Private' for example when using a Domain Controller via a "private network". Select Next > when finished.
Please note! The options 'Domain' & 'Private' could be used when using a "private network" to communicate with a Domain Controller. If you however unselect these options, Windows Server will make the LDAP port reachable again for random external connections and this leaves the possibility to be remotely exploited. If you want to make LDAP reachable for other server, you can change the 'interface types' via 'Properties' so it only applies to the remote 'Local Area Network'. If you want external servers outside of a private network to use the services, you can whitelist them.
- Enter a name (for example "UDP LDAP Block") and press Finish.
The LDAP-service can now no longer be externally exploited for amplification attacks! With a command such as 'sudo nmap -p 389 -sU --script ldap-rootdse [IPADRES]' you can verify the service is in fact no longer reachable. If this return an output similar to '|_ldap-rootdse: ERROR: Script execution failed (use -d to debug)' your LDAP-service can no longer be abused.