A small North African retail company, a North American telecommunications provider and two different religious organizations: what do they have in common? They all have misconfigured Microsoft servers that bombard the Internet for months or years with gigabytes per second of unwanted data in distributed denial-of-service attacks designed to disrupt or disable websites and services.
In total, a recently published study by Black Lotus Labs, the networks and applications research arm of Lumen, identified more than 12,000 servers – all with Microsoft domain controllers hosting the company's Active Directory services – which were regularly used for expansion. Distributed attacks, denial of service or DDoS.
An endless arms race
For decades, DDoS has fought defenders in an endless arms race. In the past, DDoS attacks simply collected an increasing number of internet-connected devices into botnets and then used them simultaneously to send more data to the target than they could handle. Objects, whether games, new websites, or even basic pillars of Internet infrastructure, often deform under load, collapse completely, or slow down to a point.
Companies like Lumen, Netscout, Cloudflare, and Akamai then override security measures that filter out unwanted traffic so their customers can resist torrenting. DDoS attacks have responded by launching new types of attacks that temporarily disable this protection. The race is still ongoing.
One of the primary methods used by DDoS Chamois to gain an advantage is known as reversal. Instead of sending a wave of unwanted traffic directly to the target, DDoS sends network requests to one or more third parties. By identifying third parties with known misconfigurations in their networks and spoofing requests that appear to be sent by an entity, third parties end up viewing the entity's data, often tens, hundreds, or even thousands of times the size of the original payload.