IP Security – LDAP – The Lightweight Directory Access Protocol – Port 389

This is a lightweight client-server protocol that runs over TCP/IP or other connection-oriented transfer services. It is used for accessing and maintaining directory information services. The core functionality of LDAP lies in the interaction between the client and the LDAP server. When a client makes a request to the LDAP server, the request is sent to the LDAP server; the server processes the entire transaction and then sends the results of the transaction back to the client. This is different from other protocols where the server and the client may communicate several times during one transaction. In the default configuration, LDAP listens on port 389/TCP or port 389/UDP.

A server that uses connectionless LDAP (CLDAP), a variant of LDAP that uses UDP as its transport protocol, and which is openly accessible on the Internet may be abused for a Distributed Denial-of-Service (DRDoS) Reflection/Amplification attack against a third party. Extremely high amplification factors can be achieved by combining the functionality of both UDP and LDAP to amplify the amount of attack traffic which poses a serious security threat.

LDAP is used by attackers to perform reconnaissance, the process of investigating and identifying weak spots in an organization’s network. Mapping an organisation’s attack surface and analyzing the domain for critical data, misconfigurations or system vulnerabilities, helps attackers plan their attacks and establish a foothold that eventually leads to compromise.

Recommended Actions

On the firewall, restrict access to the LDAP server to trusted clients by blocking incoming connections to port 389/TCP and port 389/UDP.

LDAP transmits communications in clear text. Credentials are passed over the network unencrypted. The implementation of StartTLS (LDAP over TLS) or LDAPS (LDAP over TLS/SSL) provides secure and encrypted communication between client and LDAP server.

Reference Material

CVE.mitre.org is also another useful site and by searching their “CVE list” and typing in the Vulnerability they can help identify and mitigate the issue:


Crestron AM-100 with firmware and AM-101 with firmware is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a “stopped” state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow.


Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

Our partners