LDAP reflected ddos<\/p>\n
\r\ntcpdump -nn -i em1 udp and port 389\r\n\r\n15:35:36.667005 IP 75.99.0.158.389 > x.x.x.x.4829: UDP, length 2804\r\n15:35:36.667065 IP 192.162.242.123.389 > x.x.x.x.45750: UDP, length 2993\r\n15:35:36.667105 IP 210.3.1.38.389 > x.x.x.x.61703: UDP, length 2687\r\n15:35:36.667260 IP 210.211.126.112.389 > x.x.x.x.61703: UDP, length 2591\r\n15:35:36.667318 IP 88.198.78.124.389 > x.x.x.x.18313: UDP, length 2955\r\n15:35:36.667407 IP 192.186.71.248.389 > x.x.x.x.45750: UDP, length 3088\r\n15:35:36.667420 IP 193.158.199.220.389 > x.x.x.x.45750: UDP, length 2582\r\n15:35:36.667453 IP 108.60.201.51.389 > x.x.x.x.27164: UDP, length 2969\r\n15:35:36.667472 IP 211.144.154.13.389 > x.x.x.x.61703: UDP, length 2395\r\n15:35:36.667551 IP 78.140.59.119.389 > x.x.x.x.4829: UDP, length 2368\r\n15:35:36.667562 IP 197.231.192.44.389 > x.x.x.x.45750: UDP, length 2959\r\n15:35:36.667575 IP 185.104.180.89.389 > x.x.x.x.29749: UDP, length 3009\r\n15:35:36.667600 IP 108.31.185.59.389 > x.x.x.x.27164: UDP, length 2474\r\n15:35:36.667652 IP 76.16.250.71.389 > x.x.x.x.4829: UDP, length 2622\r\n15:35:36.667708 IP 185.3.168.182.389 > x.x.x.x.29749: UDP, length 2816\r\n15:35:36.667798 IP 196.6.233.18.389 > x.x.x.x.45750: UDP, length 2538\r\n15:35:36.667845 IP 91.106.91.12.389 > x.x.x.x.18313: UDP, length 2863\r\n15:35:36.667869 IP 89.218.64.42.389 > x.x.x.x.18313: UDP, length 2799\r\n15:35:36.667909 IP 193.140.41.174.389 > x.x.x.x.45750: UDP, length 3046\r\n15:35:36.667982 IP 76.213.157.105.389 > x.x.x.x.4829: UDP, length 2894\r\n15:35:36.668086 IP 196.30.230.54.389 > x.x.x.x.45750: UDP, length 2706\r\n15:35:36.668188 IP 75.99.131.234.389 > x.x.x.x.4829: UDP, length 2516\r\n15:35:36.668218 IP 196.11.102.164.389 > x.x.x.x.45750: UDP, length 2798\r\n15:35:36.668248 IP 184.69.98.206.389 > x.x.x.x.29749: UDP, length 2857\r\n15:35:36.668267 IP 121.40.104.130.389 > x.x.x.x.27164: UDP, length 2589\r\n15:35:36.668284 IP 109.166.208.171.389 > x.x.x.x.27164: UDP, length 2772\r\n15:35:36.668343 IP 108.74.106.227.389 > x.x.x.x.27164: UDP, length 2904\r\n15:35:36.668383 IP 88.150.147.131.389 > x.x.x.x.18313: UDP, length 2966\r\n15:35:36.668421 IP 88.198.222.112.389 > x.x.x.x.18313: UDP, length 2714\r\n15:35:36.668463 IP 184.106.234.128.389 > x.x.x.x.29749: UDP, length 2631\r\n15:35:36.668468 IP 88.198.90.43.389 > x.x.x.x.18313: UDP, length 1782\r\n15:35:36.668487 IP 194.247.240.50.389 > x.x.x.x.45750: UDP, length 2937\r\n15:35:36.668641 IP 88.84.197.162.389 > x.x.x.x.18313: UDP, length 1785\r\n15:35:36.668835 IP 115.124.66.19.389 > x.x.x.x.27164: UDP, length 2929\r\n15:35:36.668888 IP 119.160.218.42.389 > x.x.x.x.27164: UDP, length 2497\r\n15:35:36.668920 IP 76.104.14.11.389 > x.x.x.x.4829: UDP, length 2566\r\n15:35:36.668944 IP 112.74.167.244.389 > x.x.x.x.27164: UDP, length 2873\r\n15:35:36.669013 IP 116.12.189.33.389 > x.x.x.x.27164: UDP, length 2628\r\n15:35:36.669163 IP 184.106.250.48.389 > x.x.x.x.29749: UDP, length 2600\r\n15:35:36.669215 IP 115.90.181.114.389 > x.x.x.x.27164: UDP, length 2469\r\n15:35:36.669396 IP 196.15.180.8.389 > x.x.x.x.45750: UDP, length 2632\r\n15:35:36.669400 IP 196.15.180.62.389 > x.x.x.x.45750: UDP, length 2684\r\n15:35:36.669417 IP 109.166.153.104.389 > x.x.x.x.27164: UDP, length 2362\r\n15:35:36.669422 IP 197.148.64.80.389 > x.x.x.x.45750: UDP, length 2711\r\n15:35:36.669463 IP 184.106.234.46.389 > x.x.x.x.29749: UDP, length 2747\r\n15:35:36.669535 IP 88.208.119.250.389 > x.x.x.x.18313: UDP, length 3051\r\n15:35:36.669548 IP 88.220.122.52.389 > x.x.x.x.18313: UDP, length 2868\r\n15:35:36.669755 IP 197.81.233.50.389 > x.x.x.x.45750: UDP, length 2472\r\n15:35:36.669766 IP 196.214.87.66.389 > x.x.x.x.45750: UDP, length 2623\r\n15:35:36.669821 IP 88.198.203.195.389 > x.x.x.x.18313: UDP, length 1917\r\n15:35:36.669942 IP 115.178.16.249.389 > x.x.x.x.27164: UDP, length 2996\r\n15:35:36.670003 IP 184.147.198.111.389 > x.x.x.x.29749: UDP, length 2553\r\n15:35:36.670044 IP 75.99.203.190.389 > x.x.x.x.4829: UDP, length 3046\r\n15:35:36.670212 IP 197.249.132.72.389 > x.x.x.x.45750: UDP, length 2449\r\n15:35:36.670286 IP 88.150.188.42.389 > x.x.x.x.18313: UDP, length 2914\r\n15:35:36.670297 IP 184.155.25.26.389 > x.x.x.x.29749: UDP, length 2881\r\n15:35:36.670411 IP 88.82.192.243.389 > x.x.x.x.18313: UDP, length 2501\r\n15:35:36.670414 IP 186.115.11.67.389 > x.x.x.x.4829: UDP, length 2682\r\n15:35:36.670549 IP 75.99.161.82.389 > x.x.x.x.4829: UDP, length 2861\r\n15:35:36.670583 IP 77.120.243.225.389 > x.x.x.x.4829: UDP, length 2508\r\n15:35:36.670657 IP 193.248.203.67.389 > x.x.x.x.45750: UDP, length 2931\r\n15:35:36.670688 IP 75.35.145.219.389 > x.x.x.x.4829: UDP, length 2897\r\n15:35:36.670819 IP 184.149.19.174.389 > x.x.x.x.29749: UDP, length 2579\r\n15:35:36.671004 IP 197.159.49.36.389 > x.x.x.x.45750: UDP, length 2936\r\n15:35:36.671027 IP 79.175.176.14.389 > x.x.x.x.4829: UDP, length 2891\r\n15:35:36.671055 IP 108.29.161.26.389 > x.x.x.x.27164: UDP, length 2561\r\n15:35:36.671075 IP 200.116.120.158.389 > x.x.x.x.45750: UDP, length 2892\r\n15:35:36.671101 IP 196.15.180.2.389 > x.x.x.x.45750: UDP, length 2640\r\n15:35:36.671186 IP 88.159.158.30.389 > x.x.x.x.18313: UDP, length 2574\r\n15:35:36.671228 IP 108.29.99.165.389 > x.x.x.x.27164: UDP, length 2946\r\n15:35:36.671256 IP 88.198.1.28.389 > x.x.x.x.18313: UDP, length 2949\r\n<\/pre>\nsample packet:<\/p>\n
\r\n15:37:21.996866 IP (tos 0x0, ttl 117, id 18284, offset 0, flags [+], proto UDP (17), length 1500)\r\n 179.210.166.177.389 > x.x.x.x.45750: UDP, length 2905\r\n\t0x0000: 4500 05dc 476c 2000 7511 9265 b3d2 a6b1 E...Gl..u..e....\r\n\t0x0010: 2ea6 bd15 0185 b2b6 0b61 9566 3084 0000 .........a.f0...\r\n\t0x0020: 0b3d 0201 0764 8400 000b 3404 0030 8400 .=...d....4..0..\r\n\t0x0030: 000b 2c30 8400 0000 2604 0b63 7572 7265 ..,0....&..curre\r\n\t0x0040: 6e74 5469 6d65 3184 0000 0013 0411 3230 ntTime1.......20\r\n\t0x0050: 3137 3037 3035 3135 3337 3232 2e30 5a30 170705153722.0Z0\r\n\t0x0060: 8400 0000 5504 1173 7562 7363 6865 6d61 ....U..subschema\r\n\t0x0070: 5375 6265 6e74 7279 3184 0000 003c 043a Subentry1....<.:\r\n\t0x0080: 434e 3d41 6767 7265 6761 7465 2c43 4e3d CN=Aggregate,CN=\r\n\t0x0090: 5363 6865 6d61 2c43 4e3d 436f 6e66 6967 Schema,CN=Config\r\n\t0x00a0: 7572 6174 696f 6e2c 4443 3d45 434f 5445 uration,DC=ECOTE\r\n\t0x00b0: 502c 4443 3d6c 6f63 616c 3084 0000 0086 P,DC=local0.....\r\n\t0x00c0: 040d 6473 5365 7276 6963 654e 616d 6531 ..dsServiceName1\r\n\t0x00d0: 8400 0000 7104 6f43 4e3d 4e54 4453 2053 ....q.oCN=NTDS.S\r\n\t0x00e0: 6574 7469 6e67 732c 434e 3d45 434f 5352 ettings,CN=ECOSR\r\n\t0x00f0: 5630 322c 434e 3d53 6572 7665 7273 2c43 V02,CN=Servers,C\r\n\t0x0100: 4e3d 4465 6661 756c 742d 4669 7273 742d N=Default-First-\r\n\t0x0110: 5369 7465 2d4e 616d 652c 434e 3d53 6974 Site-Name,CN=Sit\r\n\t0x0120: 6573 2c43 4e3d 436f 6e66 6967 7572 6174 es,CN=Configurat\r\n\t0x0130: 696f 6e2c 4443 3d45 434f 5445 502c 4443 ion,DC=ECOTEP,DC\r\n\t0x0140: 3d6c 6f63 616c 3084 0000 00ca 040e 6e61 =local0.......na\r\n\t0x0150: 6d69 6e67 436f 6e74 6578 7473 3184 0000 mingContexts1...\r\n\t0x0160: 00b4 0412 4443 3d45 434f 5445 502c 4443 ....DC=ECOTEP,DC\r\n\t0x0170: 3d6c 6f63 616c 0423 434e 3d43 6f6e 6669 =local.#CN=Confi\r\n\t0x0180: 6775 7261 7469 6f6e 2c44 433d 4543 4f54 guration,DC=ECOT\r\n\t0x0190: 4550 2c44 433d 6c6f 6361 6c04 2d43 4e3d EP,DC=local.-CN=\r\n\t0x01a0: 5363 6865 6d61 2c43 4e3d 436f 6e66 6967 Schema,CN=Config\r\n\t0x01b0: 7572 6174 696f 6e2c 4443 3d45 434f 5445 uration,DC=ECOTE\r\n\t0x01c0: 502c 4443 3d6c 6f63 616c 0424 4443 3d44 P,DC=local.$DC=D\r\n\t0x01d0: 6f6d 6169 6e44 6e73 5a6f 6e65 732c 4443 omainDnsZones,DC\r\n\t0x01e0: 3d45 434f 5445 502c 4443 3d6c 6f63 616c =ECOTEP,DC=local\r\n\t0x01f0: 0424 4443 3d46 6f72 6573 7444 6e73 5a6f .$DC=ForestDnsZo\r\n\t0x0200: 6e65 732c 4443 3d45 434f 5445 502c 4443 nes,DC=ECOTEP,DC\r\n\t0x0210: 3d6c 6f63 616c 3084 0000 0030 0414 6465 =local0....0..de\r\n\t0x0220: 6661 756c 744e 616d 696e 6743 6f6e 7465 faultNamingConte\r\n\t0x0230: 7874 3184 0000 0014 0412 4443 3d45 434f xt1.......DC=ECO\r\n\t0x0240: 5445 502c 4443 3d6c 6f63 616c 3084 0000 TEP,DC=local0...\r\n\t0x0250: 004a 0413 7363 6865 6d61 4e61 6d69 6e67 .J..schemaNaming\r\n\t0x0260: 436f 6e74 6578 7431 8400 0000 2f04 2d43 Context1....\/.-C\r\n\t0x0270: 4e3d 5363 6865 6d61 2c43 4e3d 436f 6e66 N=Schema,CN=Conf\r\n\t0x0280: 6967 7572 6174 696f 6e2c 4443 3d45 434f iguration,DC=ECO\r\n\t0x0290: 5445 502c 4443 3d6c 6f63 616c 3084 0000 TEP,DC=local0...\r\n\t0x02a0: 0047 041a 636f 6e66 6967 7572 6174 696f .G..configuratio\r\n\t0x02b0: 6e4e 616d 696e 6743 6f6e 7465 7874 3184 nNamingContext1.\r\n\t0x02c0: 0000 0025 0423 434e 3d43 6f6e 6669 6775 ...%.#CN=Configu\r\n\t0x02d0: 7261 7469 6f6e 2c44 433d 4543 4f54 4550 ration,DC=ECOTEP\r\n\t0x02e0: 2c44 433d 6c6f 6361 6c30 8400 0000 3304 ,DC=local0....3.\r\n\t0x02f0: 1772 6f6f 7444 6f6d 6169 6e4e 616d 696e .rootDomainNamin\r\n\t0x0300: 6743 6f6e 7465 7874 3184 0000 0014 0412 gContext1.......\r\n\t0x0310: 4443 3d45 434f 5445 502c 4443 3d6c 6f63 DC=ECOTEP,DC=loc\r\n\t0x0320: 616c 3084 0000 03a9 0410 7375 7070 6f72 al0.......suppor\r\n\t0x0330: 7465 6443 6f6e 7472 6f6c 3184 0000 0391 tedControl1.....\r\n\t0x0340: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556\r\n\t0x0350: 2e31 2e34 2e33 3139 0416 312e 322e 3834 .1.4.319..1.2.84\r\n\t0x0360: 302e 3131 3335 3536 2e31 2e34 2e38 3031 0.113556.1.4.801\r\n\t0x0370: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556\r\n\t0x0380: 2e31 2e34 2e34 3733 0416 312e 322e 3834 .1.4.473..1.2.84\r\n\t0x0390: 302e 3131 3335 3536 2e31 2e34 2e35 3238 0.113556.1.4.528\r\n\t0x03a0: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556\r\n\t0x03b0: 2e31 2e34 2e34 3137 0416 312e 322e 3834 .1.4.417..1.2.84\r\n\t0x03c0: 302e 3131 3335 3536 2e31 2e34 2e36 3139 0.113556.1.4.619\r\n\t0x03d0: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556\r\n\t0x03e0: 2e31 2e34 2e38 3431 0416 312e 322e 3834 .1.4.841..1.2.84\r\n\t0x03f0: 302e 3131 3335 3536 2e31 2e34 2e35 3239 0.113556.1.4.529\r\n\t0x0400: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556\r\n\t0x0410: 2e31 2e34 2e38 3035 0416 312e 322e 3834 .1.4.805..1.2.84\r\n\t0x0420: 302e 3131 3335 3536 2e31 2e34 2e35 3231 0.113556.1.4.521\r\n\t0x0430: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556\r\n\t0x0440: 2e31 2e34 2e39 3730 0417 312e 322e 3834 .1.4.970..1.2.84\r\n\t0x0450: 302e 3131 3335 3536 2e31 2e34 2e31 3333 0.113556.1.4.133\r\n\t0x0460: 3804 1631 2e32 2e38 3430 2e31 3133 3535 8..1.2.840.11355\r\n\t0x0470: 362e 312e 342e 3437 3404 1731 2e32 2e38 6.1.4.474..1.2.8\r\n\t0x0480: 3430 2e31 3133 3535 362e 312e 342e 3133 40.113556.1.4.13\r\n\t0x0490: 3339 0417 312e 322e 3834 302e 3131 3335 39..1.2.840.1135\r\n\t0x04a0: 3536 2e31 2e34 2e31 3334 3004 1731 2e32 56.1.4.1340..1.2\r\n\t0x04b0: 2e38 3430 2e31 3133 3535 362e 312e 342e .840.113556.1.4.\r\n\t0x04c0: 3134 3133 0417 322e 3136 2e38 3430 2e31 1413..2.16.840.1\r\n\t0x04d0: 2e31 3133 3733 302e 332e 342e 3904 1832 .113730.3.4.9..2\r\n\t0x04e0: 2e31 362e 3834 302e 312e 3131 3337 3330 .16.840.1.113730\r\n\t0x04f0: 2e33 2e34 2e31 3004 1731 2e32 2e38 3430 .3.4.10..1.2.840\r\n\t0x0500: 2e31 3133 3535 362e 312e 342e 3135 3034 .113556.1.4.1504\r\n\t0x0510: 0417 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556\r\n\t0x0520: 2e31 2e34 2e31 3835 3204 1631 2e32 2e38 .1.4.1852..1.2.8\r\n\t0x0530: 3430 2e31 3133 3535 362e 312e 342e 3830 40.113556.1.4.80\r\n\t0x0540: 3204 1731 2e32 2e38 3430 2e31 3133 3535 2..1.2.840.11355\r\n\t0x0550: 362e 312e 342e 3139 3037 0417 312e 322e 6.1.4.1907..1.2.\r\n\t0x0560: 3834 302e 3131 3335 3536 2e31 2e34 2e31 840.113556.1.4.1\r\n\t0x0570: 3934 3804 1731 2e32 2e38 3430 2e31 3133 948..1.2.840.113\r\n\t0x0580: 3535 362e 312e 342e 3139 3734 0417 312e 556.1.4.1974..1.\r\n\t0x0590: 322e 3834 302e 3131 3335 3536 2e31 2e34 2.840.113556.1.4\r\n\t0x05a0: 2e31 3334 3104 1731 2e32 2e38 3430 2e31 .1341..1.2.840.1\r\n\t0x05b0: 3133 3535 362e 312e 342e 3230 3236 0417 13556.1.4.2026..\r\n\t0x05c0: 312e 322e 3834 302e 3131 3335 3536 2e31 1.2.840.113556.1\r\n\t0x05d0: 2e34 2e32 3036 3404 1731 2e32 .4.2064..1.2\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"LDAP reflected ddos tcpdump -nn -i em1 udp and port 389 15:35:36.667005 IP 75.99.0.158.389 > x.x.x.x.4829: UDP, length 2804 15:35:36.667065 IP 192.162.242.123.389 > x.x.x.x.45750: UDP, length 2993 15:35:36.667105 IP 210.3.1.38.389 > x.x.x.x.61703: UDP, length 2687 15:35:36.667260 IP 210.211.126.112.389 > x.x.x.x.61703: UDP, length 2591 15:35:36.667318 IP 88.198.78.124.389 > x.x.x.x.18313: UDP, length 2955 15:35:36.667407 IP 192.186.71.248.389 > … <\/p>\n