Hi everyone,
I am experiencing a massive traffic spike on my WAN interface and I need advice on how to mitigate this.
Symptoms:
• Torch Items: Approx 21,500 items active.
• Protocol: Mostly UDP (Protocol 17).
• Pattern: Multiple Source IPs targeting my single Public IP (v.w.y.24).
• Details:
• High bandwidth entries show Source IPs without a specific port.
• Some smaller entries show Port 389 (LDAP), which makes me suspect a CLDAP Reflection attack.
• Total Rx Rate is consuming my bandwidth (~132 Mbps).
Questions:
1. Is this confirmed as a UDP/CLDAP Reflection attack based on the screenshot?
2. What is the best Raw Firewall Rule to drop this traffic efficiently without overloading the CPU?
3. Should I drop all traffic from source port 389 (UDP)?
Attached is the Torch screenshot for reference.
Thank you!
I think it was a bad idea to expose your public IP to the world...
1 Like
IlKa
3
Yes, those are LDAP servers. I connected to one, it seems to be an Active Directory controller
ld = ldap_open("14.241.43.93", 389);
Established connection to 14.241.43.93.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=I-DSTECH,DC=COM;
currentTime: 12/8/2025 12:36:02 AM W. Europe Standard Time;
defaultNamingContext: DC=I-DSTECH,DC=COM;
dnsHostName: HRACCLOG.I-DSTECH.COM;
domainControllerFunctionality: 7 = ( WIN2016 );
domainFunctionality: 7 = ( WIN2016 );
dsServiceName: CN=NTDS Settings,CN=HRACCLOG,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=I-DSTECH,DC=COM;
forestFunctionality: 7 = ( WIN2016 );
3389 (RDP) and 445 (SMB) ports are also opened.
Poor folks, they will be hacked soon. All their data will be encrypted.
I believe your guess is right. Just set 389 port to drop for an external interface.
PS: Just in case: Never. Ever Open any Microsoft service to the Public Internet.