Internet-Security.com UDP port 389 details

UDP port 389 is used by CLDAP (Connectionless LDAP) in Microsoft Active Directory environments.
Windows clients and servers use the DC Locator/NetLogon (DsGetDcName) mechanism over CLDAP to find domain controllers and site information.
Microsoft Active Directory Domain Controllers listen on UDP 389 to answer these CLDAP “LDAP ping” requests.
Samba, when configured as an Active Directory Domain Controller, implements CLDAP on UDP 389 for the same DC-location functionality.
Domain-joined Windows applications that rely on the DC Locator API (for example, Microsoft Exchange Server) generate CLDAP traffic to UDP 389 as part of domain discovery.
The Windows nltest.exe utility (e.g., nltest /dsgetdc:example.com) uses CLDAP over UDP 389 to query and validate domain controllers.
Port 389/UDP is associated with CLDAP reflection/amplification DDoS attacks, where exposed AD domain controllers are abused to amplify traffic; major providers (e.g., Akamai, Cloudflare) have documented large-scale incidents, so blocking UDP 389 at network edges is recommended.

UDP 389