Misconfigured Windows Servers contributed to DDoS attacks

Reading time icon 3 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

What can two businesses on two different continents have in common?  Incorrectly configured Microsoft servers that have been spewing gigabytes per second of junk packets causing distributed denial of service attacks (DDOS) on unsuspecting services and businesses.  These attacks can certainly disrupt a business or in some cases take it down without proper protection, which oftentimes isn’t affordable for a small business.

According to a recently published report by Black Lotus Labs, more than 12,000 servers running  Microsoft Domain Controllers with Active Directory were often used to magnify DDOS attacks.  For years it’s been a constant battle of attacker and defender, often times all the attacker had to do was gain control of an ever-growing list of connected devices in a botnet and use them to attack.  One of the more common methods of attacks is called reflection.  Reflection is when instead of flooding one device with data packets attackers send the attack to third-party servers.  Using third parties with misconfigured servers and spoofing the packets gives the appearance that the attack is coming from the target.  These third-party servers unknowingly end up reflecting the attack at the target often ten times larger than it started.

A growing source of attacks over the last year has been the  Connectionless Lightweight Directory Access Protocol (CLDAP) which is a version of the standard Lightweight Directory Access Protocol (LDAP). CLDAP uses User Datagram Protocol packets to authenticate users and discover services when signing into Active Directory.   Chad Davis, a researcher at Black Lotus had this to say in a recent email.

“When these domain controllers are not exposed to the open Internet (which is true for the vast majority of the deployments), this UDP service is harmless. But on the open Internet, all UDP services are vulnerable to reflection.”

Attackers have been using the protocol since 2007 to magnify attacks.  When researchers first discovered the misconfiguration in CLDAP servers the number was in the tens of thousands.  Once the issue was brought to the administrator’s attention the number dropped significantly, though it has risen sharply again since 2020 including a rise of nearly 60 percent in the past year according to Black Lotus Labs.

Black Lotus offered the following advice for organizations running CLDAP.

  • Network administrators: Consider not exposing CLDAP service (389/UDP) to the open Internet.
    • If exposure of the CLDAP service to the open Internet is absolutely necessary, take pains to secure and defend the system:
      • On versions of MS Server supporting LDAP ping on the TCP LDAP service, turn off the UDP service and access LDAP ping via TCP.
      • If MS Server version doesn’t support LDAP ping on TCP, rate limit the traffic generated by the 389/UDP service to prevent use in DDoS.
      • If MS Server version doesn’t support LDAP ping on TCP, firewall access to the port so that only your legitimate clients can reach the service.
  • Network defenders: Implement some measures to prevent spoofed IP traffic, such as Reverse Path Forwarding (RPF), either loose or, if feasible, strict. For more guidance, the MANRS initiative offers in-depth discussion of anti-spoofing guidelines and real-world applications.

Black Lotus has notified and assisted administrators they found vulnerable in an IP space provided by Lumen.  Microsoft hasn’t commented on the findings.

Via Arstechnica