Misconfigured Windows Servers contributed to DDoS attacks

What can two businesses on two different continents have in common?  Incorrectly configured Microsoft servers that have been spewing gigabytes per second of junk packets causing distributed denial of service attacks (DDOS) on unsuspecting services and businesses.  These attacks can certainly disrupt a business or in some cases take it down without proper protection, which oftentimes isn’t affordable for a small business.

According to a recently published report by Black Lotus Labs, more than 12,000 servers running  Microsoft Domain Controllers with Active Directory were often used to magnify DDOS attacks.  For years it’s been a constant battle of attacker and defender, often times all the attacker had to do was gain control of an ever-growing list of connected devices in a botnet and use them to attack.  One of the more common methods of attacks is called reflection.  Reflection is when instead of flooding one device with data packets attackers send the attack to third-party servers.  Using third parties with misconfigured servers and spoofing the packets gives the appearance that the attack is coming from the target.  These third-party servers unknowingly end up reflecting the attack at the target often ten times larger than it started.

A growing source of attacks over the last year has been the  Connectionless Lightweight Directory Access Protocol (CLDAP) which is a version of the standard Lightweight Directory Access Protocol (LDAP). CLDAP uses User Datagram Protocol packets to authenticate users and discover services when signing into Active Directory.   Chad Davis, a researcher at Black Lotus had this to say in a recent email.

“When these domain controllers are not exposed to the open Internet (which is true for the vast majority of the deployments), this UDP service is harmless. But on the open Internet, all UDP services are vulnerable to reflection.”

Attackers have been using the protocol since 2007 to magnify attacks.  When researchers first discovered the misconfiguration in CLDAP servers the number was in the tens of thousands.  Once the issue was brought to the administrator’s attention the number dropped significantly, though it has risen sharply again…