Meet The Windows Servers That Have Been Fueling Massive DDoSes For Months

Meet The Windows Servers That Have Been Fueling Massive DDoSes For Months

A small North African retail company, a North American telecommunications provider and two different religious organizations: what do they have in common? They all have misconfigured Microsoft servers that bombard the Internet for months or years with gigabytes per second of unwanted data in distributed denial-of-service attacks designed to disrupt or disable websites and services.

In total, a recently published study by Black Lotus Labs, the networks and applications research arm of Lumen, identified more than 12,000 servers – all with Microsoft domain controllers hosting the company's Active Directory services – which were regularly used for expansion. Distributed attacks, denial of service or DDoS.

An endless arms race

For decades, DDoS has fought defenders in an endless arms race. In the past, DDoS attacks simply collected an increasing number of internet-connected devices into botnets and then used them simultaneously to send more data to the target than they could handle. Objects, whether games, new websites, or even basic pillars of Internet infrastructure, often deform under load, collapse completely, or slow down to a point.

Companies like Lumen, Netscout, Cloudflare, and Akamai then override security measures that filter out unwanted traffic so their customers can resist torrenting. DDoS attacks have responded by launching new types of attacks that temporarily disable this protection. The race is still ongoing.

One of the primary methods used by DDoS Chamois to gain an advantage is known as reversal. Instead of sending a wave of unwanted traffic directly to the target, DDoS sends network requests to one or more third parties. By identifying third parties with known misconfigurations in their networks and spoofing requests that appear to be sent by an entity, third parties end up viewing the entity's data, often tens, hundreds, or even thousands of times the size of the original payload.

Some of the most notable downsides are poorly configured servers that use services such as open DNS resolvers, Network Time Protocol, Memcached for database caching, and the WS-Discovery protocol used in IoT devices. These matching techniques, also known as amplification attacks, enable record DDoS attacks using the smallest botnets.

When attacking domain controllers

Lightweight offline directory access has become a growing source of mirror attacks over the past year. CLDAP, a Microsoft derivative of the standard Lightweight Directory Access Protocol, uses User Datagram Protocol packets to allow Windows clients to discover services to authenticate users.

“Many versions of MS Server running have the CLDAP service enabled by default,” Black Lotus Labs researcher Chad Davis wrote in an email. "Unless these domain controllers are connected to the open Internet (which is true for the vast majority of deployments), this UDP service is harmless. But on the open Internet, all UDP services are vulnerable to mapping ."

DDoSers have been using this protocol since at least 2017 to increase data dumps by 56 to 70 times, making it one of the biggest skew factors. When the CLDAP system was first discovered, the number of servers providing Internet service numbered in the tens of thousands. After the public took notice, the number dwindled. However, according to Black Lotus Labs, that number has increased again since 2020, up 60% in the past 12 months alone.

The researcher navigated to the profiles of four of these servers. The most destructive of them was linked to an unidentified religious organization and regularly generates unimaginable torrents of thoughtful DDoS traffic. As shown in the following figure, this source was responsible for several explosions between July and September, four of which exceeded 10 Gbps and one approached 17 Gbps.

one more
Black Lotus Laboratories

"This traffic may be large enough to cause a denial of service on some of the least prepared servers," Davis wrote in his report. "Theoretically, a hundred of them working in unison can generate terabits per second of attack traffic."

Davis said that in addition to CLDAP's general internet access, the server also has an open DNS resolver that can be used for mapping and also has poor SMB service. It also sends two-way communication to command and control servers checked for different malware families.

A second Microsoft profile server was also associated with a religious organization, this time in North America. For 18 months, it provided a maximum data transfer rate of over 2 Gbps. Like the server of another religious organization, it also had an open DNS server and served as a bot for many malware families.

Davis went on to talk about a CLDAP service hosted on an IP address associated with a North American telecommunications provider that has been running heavy DDoS attacks for over a year. Some targets that change frequently are within the same IP address range. In other cases, the goal is to prefix the entire network.

The last was a server connected to a local North African retail company. For more than nine months, Black Lotus Labs observed it repeatedly performing DDoS attacks on various targets at a peak rate of 7.8 Gbps. Like the servers of two religious organizations, it bears signs of use by malware. It also makes remote desktops and vulnerable SMB services available over the internet.

“Attempting to build a story around these facts leads us to think of this system as an MS domain controller in a small organization,” Davies wrote. "Small sites may have only one data center, and they may also host SMB, DNS, and RDP. Additionally, smaller organizations typically have less complex security practices, indicating greater potential for spreading botnets with malware.

one more
Black Lotus Laboratories

Davis said Black Lotus was able to confirm that the four servers were involved in genuine DDoS attacks by analyzing targets on the receiving side of the torrent data. In an email, Black Lotus Labs said it was able to confirm that the 12,142 servers identified as CLDAP UPS are Microsoft domain controllers by analyzing their LDAP ping response, which shows the connection on the expected port (389/UDP ) and contains the expected number of bytes. .

Clean in CLDAP

Active Directory is one of the few Microsoft products to include CLDAP. Even then, the execution is limited to a single command – LDAP ping. Davis wrote:

This command does not refer to a directory; It is used by Windows clients trying to find a service with which they can authenticate users. While it's hard to imagine why anyone would design their network topology such that a client would need to find a local authentication service on the open internet, it does. The motives for rolling out the software are less clear because the service is publicly available online and open to speculation.

An interesting observation is that the abnormal peaks increased in frequency the longer the CLDAP inverter was left open. "It makes sense as we expect forwards to take the time to discover new deflections and upgrade their arsenal," Davis wrote.

one more
Black Lotus Laboratories

Black Lotus Labs has provided the following tips for blocking servers using the guide:

  • Network administrators: Avoid providing access to the CLDAP service (389/UDP) on the open Internet.
    • If CLDAP access to the open Internet is absolutely necessary, make an effort to secure the system:
      • In versions of MS Server that support LDAP echo request in LDAP TCP service, disable UDP service and LDAP echo request access over TCP.
      • If your version of MS Server does not support LDAP echo request over TCP, limit the traffic generated by the 389/UDP service to prevent DDoS attacks.
      • If the version of MS Server does not support LDAP echo request over TCP, the firewall has access to the port so that only legitimate clients can access the service.
  • Network protectors: Implement certain measures to prevent IP address spoofing, such as reverse path forwarding (RPF), in a weak or aggressive manner if possible. As further evidence, the MANRS initiative includes a detailed discussion of anti-plagiarism guidelines and real-world applications.

The report states that Black Lotus Labs notified operators of a misconfiguration of CLDAP services in the IP space provided by Lumen. The company is working to notify other carriers and possibly begin blocking long-lived CLDAP reflectors on the Lumen backbone. Microsoft has not yet commented on this post.

Improved hybrid performance

Leave a Comment

error: Content is protected !!