cldapreflect

Explanation

CLDAP (Connection-less Lightweight Directory Access Protocol) reflection attacks involve amplifying small requests into larger responses through open servers that have UDP port 389 open. Attackers use fake source IP addresses and create a request payload that appears to be from a target system. The open server then sends the response, which can be up to 70 times larger than the request, back to the targeted system, overloading it with traffic.

This event will trigger when there is a potentially malicious response detected through a CLDAP reflection attack.

What to Look For

Look for high volumes of traffic coming from UDP port 389 on your network. Be aware of any unusual traffic patterns, especially incoming traffic. Check endpoint logs for communication to known CLDAP servers and other network infrastructure. Investigate any connections from unknown IP addresses and systems. Ensure that all servers and infrastructure are updated, patched, and locked down to prevent excessive or unauthorized traffic.

Related MITRE ATT&CK Categories

Network Denial of Service, Technique T1498 - Enterprise