A small retail store in North Africa, a North American telecommunications provider and two separate religious organizations: what do they have in common? They all run poorly configured Microsoft servers that have been spraying the Internet with gigabytes per second of junk data in distributed denial-of-service attacks for months or years, aimed at disrupting or completely crippling websites and services.
All in all, recently published research by Black Lotus Labs, the research arm of network and application technology company Lumen, identified more than 12,000 servers – all with Microsoft domain controllers hosting the company’s Active Directory services – that were regularly used to measure the scale of distributed denial-of- Service augment attacks or DDoSes.
An endless arms race
For decades, DDoSers have battled defenders in an endless arms race. Historically, DDoSers simply botneted ever-increasing numbers of internet-connected devices and then used them to simultaneously send more data to a target than it could handle. Targets—be they games, new websites, or even key pillars of Internet infrastructure—often buckled under the strain and either fell completely or just slowed down.
Companies like Lumen, Netscout, Cloudflare, and Akamai then countered with countermeasures that filtered out the junk traffic and allowed their customers to withstand the torrents. DDoSers responded by introducing new types of attacks that temporarily hampered these defenses. The race goes on.
One of the main ways that DDoSers gain the upper hand is known as reflection. Instead of sending the stream of junk traffic directly to the destination, DDoSers send network requests to one or more third parties. By selecting third parties with known misconfigurations in their networks and spoofing the requests to appear as if they were sent from the destination, the third parties end up mirroring the data at the destination, often in the tens, hundreds, or even Thousand several times larger than the original payload.
Some of the more well-known reflectors are misconfigured servers running services like open DNS resolvers, the Network Time Protocol, Memcached for database caching, and the WS-Discovery protocol found in Internet of Things devices is. Also known as amplification attacks, these reflection techniques allow record-breaking DDoS attacks to be delivered by the smallest botnets.
When domain controllers attack
Over the past year, the Connectionless Lightweight Directory Access Protocol has been a growing source of reflection attacks. A Microsoft derivative of the industry standard Lightweight Directory Access Protocoluses CLDAP User Datagram Protocol packets to allow Windows clients to discover services to authenticate users.
“Many versions of MS Server that are still in service have a CLDAP service enabled by default,” wrote Chad Davis, a researcher at Black Lotus Labs, in an email. “Unless these domain controllers are exposed to the open internet (which is true for the vast majority of deployments), this UDP service is benign. But on the open internet, all UDP services are vulnerable to reflection.”
Since then, DDoSers have been using the protocol at least 2017 to increase data streams by a factor of 56 to 70, making it one of the more powerful reflectors on the market. When the CLDAP reflection was first discovered, the number of servers exposing the service to the Internet numbered in the tens of thousands. After they became public knowledge, the number dropped. Since 2020, however, the number has risen again, by 60 percent in the last 12 months alone, according to Black Lotus Labs.
This article was previously published on Source link