Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Misconfigured Windows Servers contributed to DDoS attacks

3 min. read

Published onOctober 31, 2022

published onOctober 31, 2022

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

What can two businesses on two different continents have in common?  Incorrectly configured Microsoft servers that have been spewing gigabytes per second of junk packets causing distributed denial of service attacks (DDOS) on unsuspecting services and businesses.  These attacks can certainly disrupt a business or in some cases take it down without proper protection, which oftentimes isn’t affordable for a small business.

According to a recentlypublished report by Black Lotus Labs, more than 12,000 servers running  Microsoft Domain Controllers with Active Directory were often used to magnify DDOS attacks.  For years it’s been a constant battle of attacker and defender, often times all the attacker had to do was gain control of an ever-growing list of connected devices in a botnet and use them to attack.  One of the more common methods of attacks is called reflection.  Reflection is when instead of flooding one device with data packets attackers send the attack to third-party servers.  Using third parties with misconfigured servers and spoofing the packets gives the appearance that the attack is coming from the target.  These third-party servers unknowingly end up reflecting the attack at the target often ten times larger than it started.

A growing source of attacks over the last year has been the  Connectionless Lightweight Directory Access Protocol (CLDAP) which is a version of the standard Lightweight Directory Access Protocol (LDAP). CLDAP uses User Datagram Protocol packets to authenticate users and discover services when signing into Active Directory.   Chad Davis, a researcher at Black Lotus had this to say in a recent email.

“When these domain controllers are not exposed to the open Internet (which is true for the vast majority of the deployments), this UDP service is harmless. But on the open Internet, all UDP services are vulnerable to reflection.”

Attackers have been using the protocol since 2007 to magnify attacks.  When researchers first discovered the misconfiguration in CLDAP servers the number was in the tens of thousands.  Once the issue was brought to the administrator’s attention the number dropped significantly, though it has risen sharply again since 2020 including a rise of nearly 60 percent in the past year according to Black Lotus Labs.

Black Lotus offered the following advice for organizations running CLDAP.

Black Lotus has notified and assisted administrators they found vulnerable in an IP space provided by Lumen.  Microsoft hasn’t commented on the findings.

ViaArstechnica

David Allen

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

David Allen