1

I recently was told to manage our exchange server because the person responsible left without decent warning. I have next to no experience in this regard, however everything was running smoothly for a few months.

Our hosting provider just sent me this message:

We observed machines under your control participating in a DDoS attack targeting Google IPs.

The attack was a UDP amplification flood. Your participating machines are listed below, along with the start and stop times in UTC and their approximate bandwidth during that time.

'Server Name'

+-----------------+----------+------------------+------------------+------+
| reflector ip | protocol | first seen (utc) | last seen (utc) | Mbps |
+-----------------+----------+------------------+------------------+------+
| 000.000.000.000 | LDAP | 2017-09-29 07:24 | 2017-09-29 07:32 | 66 |


Note that this attack does not indicate the machines have been compromised by the attacker. Instead, it just indicates they are running a UDP protocol that is vulnerable to abuse. If possible, we recommend disabling unnecessary services to protect your devices from data exposure, and also to conserve bandwidth.

How do I go about to prevent this protocol abuse without affecting our exchange service?

I am not a network engineer or familiar with server hosting, so I have no idea where to start, so any help is appreciated.

Edit to answer why not duplicate:

This question aims at specifically stopping the protocol abuse and this question could apply even if the server has never had a compromise nor been taken into production.

Nightwolf
  • 121
  • 1
  • 6

1 Answers1

1

I would use the following logic for your specific case;

  1. Identify if it is a managed, or unmanaged server. Since they are asking you to take care of it, it sounds like it is an unmanaged server. If you can log into Windows Server and change/install stuff then it is unmanaged.

  2. Use a firewalling (Windows Firewall) product to block port 389 (UDP, inbound & outbound), which is needed for this attack. This should really be done on the edge router, however only your hosting company can do this, and if other customers need that port, are probably unwilling to do it.

OPTIONAL

  1. Change all applicable passwords.

  2. Scan machine for malware.

While this attack does not need access to the machine, I would still check it to be sure.

Blocking 389 inbound will stop your machine from participating in the attack. If you block outbound 389 then your machine can not initiate another attack if it is compromised.

Brian D.
  • 469