Find out which Windows servers have been fueling massive DDoS for months
A small retail company in North Africa, a North American telecommunications provider and two separate religious organizations: what do they have in common? They all use misconfigured Microsoft servers that for months or years have sprayed the Internet with gigabytes per second of unwanted data in distributed denial-of-service attacks designed to disrupt or completely take down websites and services.
In total, a recently published study by Black Lotus Labs, the research arm of networking and application technology company Lumen, identified more than 12,000 servers (all running Microsoft domain controllers hosting Active Corporate Directory) that were regularly used to increase the size of distributed networks. – denial of service or DDoS attacks.
An endless arms race
For decades, DDoSers have fought with Defenders in an endless arms race. At first, DDoSers simply bundled ever-increasing numbers of internet-connected devices into botnets, then used them to simultaneously send a target more data than it could handle. Targets – be they games, new sites, or even crucial pillars of internet infrastructure – have often caved under the pressure and either crumbled completely or slowed to a trickle.
Companies like Lumen, Netscout, Cloudflare, and Akamai then fought back with defenses that filtered out unwanted traffic, allowing their customers to resist torrenting. The DDoSers responded by deploying new types of attacks that temporarily blocked these defenses. The race continues to be played.
One of the primary methods used by DDoSers to gain the upper hand is known as reflection. Rather than directly sending the torrent of unwanted traffic to the target, DDoSers send network requests to one or more third parties. By picking third parties with known misconfigurations in their networks and spoofing requests to look like they were sent by the target, third parties end up mirroring the data back to the target, often in sizes that are tens, hundreds, or even thousands of times larger than the original payload.
Some of the more well-known reflectors are misconfigured servers running services such as open DNS resolvers, Network Time Protocol, Memcached for database caching, and the WS-Discovery protocol found in Internet devices on the Internet. objects. Also known as amplification attacks, these reflection techniques allow record DDoS to be delivered by the smallest of botnets.
When Domain Controllers Attack
Over the past year, a growing source of reflection attacks has been the lightweight connectionless directory access protocol. Microsoft’s derivation of the standard Lightweight Directory Access Protocol, CLDAP uses User Datagram Protocol packets so that Windows clients can discover services to authenticate users.
“Many versions of MS Server still in use have a CLDAP service enabled by default,” Black Lotus Labs researcher Chad Davis wrote in an email. “When these domain controllers are not exposed to the open Internet (which is true for the vast majority of deployments), this UDP service is harmless. But on the open Internet, all UDP services are vulnerable to reflection .
DDoSers have been using the protocol since at least 2017 to multiply data torrents by a factor of 56 to 70, making it one of the most powerful reflectors available. When the CLDAP reflection was first discovered, the number of servers exposing the service to the internet numbered in the tens of thousands. After gaining public attention, the number plummeted. Since 2020, however, the number has increased again, peaking at 60% in the last 12 months alone, according to Black Lotus Labs.