Meet the Windows servers that have been fueling massive DDoS attacks for months

A small retail business in North Africa, a North American telecommunications provider, and two different religious organizations: what do they have in common? They all run on poorly configured Microsoft servers that spray gigabytes per second of unwanted data into the Internet over months or years in distributed denial-of-service attacks designed to disrupt or take down websites and services.

in general a recently published study from Black Lotus Labs, the research arm of network and application technology company Lumen, identified more than 12,000 servers—all running Microsoft domain controllers that host the company’s Active Directory services—that were routinely used to scale up a distributed denial-of-service attack, or DDoS.

An endless arms race

For decades, DDoSers have battled defenders in a never-ending arms race. In the early stages, DDoSers simply gathered an increasing number of Internet-connected devices into botnets and then used them to simultaneously send a target more data than it could handle. Objects – be they games, new sites, or even important pillars of Internet infrastructure – often buckled under the load and either overturned completely or slowed to a trickle.

Companies like Lumen, Netscout, Cloudflare, and Akamai then countered with protections that filtered out unwanted traffic, allowing their customers to counter torrents. DDoSers responded by deploying new types of attacks that temporarily shut down this protection. The race continues.

One of the main techniques used by DDoSers to gain the upper hand is known as reflection. Instead of sending a torrent of unwanted traffic directly to the target, DDoSers send network requests to one or more third parties. By selecting third parties with known misconfigurations on their networks and spoofing requests to make it appear as if they were sent by the entity, the third parties end up displaying the entity’s data, often in quantities that are tens, hundreds, or even thousands of times greater than the original payload.

Some of the better known reflectors are misconfigured servers running services like open DNS resolvers, network time protocol, memcached for database cachingand WS-Discovery protocol found in Internet of Things devices. Also known as amplification attacks, these mapping techniques can deliver record-breaking DDoS attacks the smallest of botnets.

When attacking domain controllers

Over the past year, a growing source of mirroring attacks has been Light Connectionless Directory Access Protocol. The origin of the Microsoft industry standard Simplified directory access protocolCLDAP uses User Datagram Protocol packets to enable Windows clients to discover services for user authentication.

“Many versions of MS Server that are still running have the CLDAP service enabled by default,” Chad Davis, a researcher at Black Lotus Labs, wrote in an email. “Unless these domain controllers are exposed to the open Internet (which is true for the vast majority of deployments), this UDP service is harmless. But on the open Internet, all UDP services are vulnerable to mapping.”

Since then, DDoSers have been using this protocol at least 2017 to increase data torrents by 56-70 times, making it one of the more powerful reflectors available. When CLDAP mapping was first discovered, the number of servers exposing the Internet service was estimated to be in the tens of thousands. After attracting public attention, their number decreased. However, the number has risen again since 2020, with a 60 percent increase in the past 12 months alone, according to Black Lotus Labs.