1

I recently was told to manage our exchange server because the person responsible left without decent warning. I have next to no experience in this regard, however everything was running smoothly for a few months.

Our hosting provider just sent me this message:

We observed machines under your control participating in a DDoS attack targeting Google IPs.

The attack was a UDP amplification flood. Your participating machines are listed below, along with the start and stop times in UTC and their approximate bandwidth during that time.

'Server Name'

+-----------------+----------+------------------+------------------+------+
| reflector ip | protocol | first seen (utc) | last seen (utc) | Mbps |
+-----------------+----------+------------------+------------------+------+
| 000.000.000.000 | LDAP | 2017-09-29 07:24 | 2017-09-29 07:32 | 66 |


Note that this attack does not indicate the machines have been compromised by the attacker. Instead, it just indicates they are running a UDP protocol that is vulnerable to abuse. If possible, we recommend disabling unnecessary services to protect your devices from data exposure, and also to conserve bandwidth.

How do I go about to prevent this protocol abuse without affecting our exchange service?

I am not a network engineer or familiar with server hosting, so I have no idea where to start, so any help is appreciated.

Edit to answer why not duplicate:

This question aims at specifically stopping the protocol abuse and this question could apply even if the server has never had a compromise nor been taken into production.

Nightwolf
  • 121
  • 1
  • 6
  • Removed identifiable info to prevent risking additional abuse. – Nightwolf Oct 06 '17 at 13:02
  • 1
    @GeraldSchneider The answer is given to webserver hack. I read through the answer and it is just so generic and skim over the important topic: `Identify the gate of entry and how to plug the hole even after nuke from orbit`. – Nightwolf Oct 06 '17 at 13:16
  • 1
    It skims over the second most important bit (the first being to unplug the machine to stop any ongoing attack) because that is a very broad subject. It was only ever meant to be generic advice. I'd suggest it applies just as well to your situation. I'd also suggest that you need to engage the services of someone who *is* an experienced "network engineer", one who understands the Microsoft technology stack in general and Exchange in particular. – Rob Moir Oct 06 '17 at 13:46
  • 1
    @Nightwolf sounds like us sending the exact email to our clients. You should block the `UDP 389` port in your Windows Firewall. You can also (when double clicking on the LDAP service) go to the tab called `Scope` and allow there local scopes but block external IP's – Valentin Bajrami Oct 06 '17 at 14:00
  • @GeraldSchneider It is not appropriate to mark this as a duplicate since this question is **not** about a compromised server. Rather it is about how to prevent a server from being used in reflection attacks. – kasperd Oct 07 '17 at 07:58

1 Answers1

1

I would use the following logic for your specific case;

  1. Identify if it is a managed, or unmanaged server. Since they are asking you to take care of it, it sounds like it is an unmanaged server. If you can log into Windows Server and change/install stuff then it is unmanaged.

  2. Use a firewalling (Windows Firewall) product to block port 389 (UDP, inbound & outbound), which is needed for this attack. This should really be done on the edge router, however only your hosting company can do this, and if other customers need that port, are probably unwilling to do it.

OPTIONAL

  1. Change all applicable passwords.

  2. Scan machine for malware.

While this attack does not need access to the machine, I would still check it to be sure.

Blocking 389 inbound will stop your machine from participating in the attack. If you block outbound 389 then your machine can not initiate another attack if it is compromised.

Brian D.
  • 469
  • 3
  • 11
  • 1
    I know it is an unmanaged server because I recently saw the invoice of this service. I have a root system and it is actually a VM that hosts our exchange, and I have confirmed that the VM was the ip that was compromised. Will block inbound and outbound 389 udp traffic and scan for malware. – Nightwolf Oct 06 '17 at 14:13
  • 1
    Just a word of caution, beware the law of unintended consequences. Exchange requires Active Directory and AD, being an LDAP server, likes to use port 389 (and 636). You have told us nothing about where your domain controllers are located -- if the firewall is between the servers. I don't know enough about exactly how Exchange talks to AD to say it is safe to block 389UDP. However I will say to you watch your logs on Exchange and your AD DCs to see if there are communication/replication issues now because you possibly blocked that port between Exchange and AD. – JBaldridge Oct 06 '17 at 16:39