Content

  1. Step by Step Guide 

Blocking the UDP connection to port 389 through the firewall

Step by Step Guide 

After installing Windows, by default the LDAP (protocol directory service) is active.

LDAP is an application layer protocol that uses TCP/IP and allows for bind, search and compare operations as well as add, change or remove entries. The problem is that it's possible for third party resources to use someone else's LDAP service for DDoS attacks, known as 'Reflection attacks'. The process is carried out over a UDP connection on port 389. In order to prevent this type of outgoing attack, you can block the UDP connection on port 389 through a firewall. Blocking this type of connection should not affect the use of "Active Directory", since a TCP connection is used in this case.

Open "Windows Firewall", select "Advanced settings" on the left side menu:

Select "Inbound Rules" from the left-hand side menu: 

Click Action → New Rule... in the top menu:

The Rule Creation Wizard will open, in which you need to select the type of rule "For Port" and click "Next >"

On the next page, select "UDP Protocol" and under "Specific local ports" type in 389 and click "Next >"

On the page that opens, select "Block the connection" and press "Next"

The last step is to specify a name for the created rule, for example "UDP LDAP block". Once the Name field has been filled in, you need to confirm the settings by pressing the "Finish" button.

The LDAP service will no longer be available for the DDoS attacks described above.