Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1936
Views
5
Helpful
5
Replies

Possible CLDAP DDoS - But how is traffic coming from outside to inside with no open ports or NAT to pubic IP?

dotran
Level 1
Level 1

‎03-24-2020 01:46 PM

I noticed numerous amount of CLDAP traffic to one of my DC starting 3/17/20.   The device is a Firepower 1010 running FTD 6.5.0.4.   The FTD has no open ports and only two NAT rules.  One rule for a site to site VPN and the other rule for devices from the inside to the outside.   From vFMC,  I can see the connections attempt from the outside source (Initiator) hitting my internal DC at 192.168.50.5 (Responder) with my Firepower rule to block udp/389,  see Figure 1.  Figure 2 is Wireshark capture prior to the block rule which seems to indicate the DC is repsonding to the CLDAP queries.

   

How is this network connection possible if there are no open ports on the FTD and no NAT to public IP?  Am I reading this correctly?

 

Figure 1: Outside source to inside DC 

CLDAP Traffic.png

 

Figure 2: Wireshark prior to blocking port 389

CLDAP Traffic from DC.png

 

 

 

 

1 person had this problem
0 Helpful
5 Replies 5

DecopacCo
Level 1
Level 1

‎05-08-2020 06:12 AM

Just had this exact problem myself on a FP2110. I disabled a default inspect rule that was somehow letting CLDAP through.
0 Helpful

dotran
Level 1
Level 1
In response to DecopacCo

‎05-08-2020 06:57 AM

Did you work with Cisco on this or were you able to determine this on your own.  I had a TAC case opened and Cisco told me the connection started from the inside which xlate then allowed back in.   This was after 3 hours of going to packets trace.   However,  I wasn't fully convince.

 

Have you confirmed with Cisco this is a bug or at the very least this is "as expected" behavior"?

 

-Doug

0 Helpful

DecopacCo
Level 1
Level 1
In response to dotran

‎05-08-2020 07:12 AM

I figured it out on my own by combing through various Firepower reports, specifically the connection events. I had an inspect rule that was ingesting traffic for inspection (I followed Lammle's configuration videos); however, that rule somehow allowed outside CLDAP traffic to reflect off a domain controller on the inside network. This reflection ramped up recently to the point where my carrier was dropping packets to throttle me.

dotran
Level 1
Level 1
In response to DecopacCo

‎05-08-2020 07:28 AM

Great, I'm new to these FTD and so far I'm not that happy with them especially the separate management interface to connect to FMC. I thought by switching from the ASA with Firepower to these FTD, it would be easier to manage as in updates and such. So far, I've had nothing but problems.
Would you mind sharing your link as to know where to adjust these inspection rules?
0 Helpful

DecopacCo
Level 1
Level 1
In response to dotran

‎05-08-2020 08:00 AM

I'm using a virtual FMC. I went to Policies - Access Control and edited an "inspect all traffic" rule I made about a year ago. I learned that rule was at fault when I checked connection events and drilled into one of the many CLDAP events.

 

With my FP2110s, I followed Todd Lammle's video series for configuration (I recommend it). FTD is sluggish and arcane, but if you update your boxes fully and understand their quirks, they're decent.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card