Posted on November 3, 2022 at 6:37 AM
Security researchers at Black Lotus Labs have discovered that Windows Server misconfigurations have kept servers at risk of being hit by a distributed denial of service (DDoS) attacks. Already, organizations are falling victim to this type of attack.
The researchers revealed that more than 12,000 Windows Servers running Microsoft Domain Controller have been targeted for DDoS attacks.
The incorrectly configured Microsoft servers have been discovered to be spewing gigabytes per second of junk packets. This has caused several cases of distributed denial of service attacks (DDoS) on unsuspecting businesses and services. The attacks are capable of disrupting a business or even taking them down for days if not checked.
CLDAP Is One Of The Biggest Sources Of The Attack
Connectionless Lightweight Directory Access Protocol (CLDAP) has been one of the biggest sources of the attacks. The report reveals that it verifies users using the User Datagram Protocol packets when the users are logged into the Active Directory.
Threat actors have been able to develop attacks because the Windows Server keeps sending out massive amounts of packets.
A researcher at Black Lotus, Charles Davis, commented on the development. He said the UDP services are harmless when the domain controllers are not exposed to the open internet. However, on the open internet, “all UDP services are vulnerable to reflection, he added.
CLDAP has been around since 2017 and has been used as an attack metric since then. But its frequency of use has increased over the past few months, and security researchers are worried about the trend.
Microsoft Domain Controllers with Active Directory was always used to magnify DDoS attacks. For several years, it has always been a constant battle between the defender and the attacker. In many cases, the attacker’s job is quite simple as they only had to gain access to the rapidly increasing list of connected devices in a botnet used in attacks.
The threat actors use “reflection” as one of the most common attack methods. It is used by attackers to send the attack to third-party servers rather than flooding one device with data packets.
When the attackers use third parties with misconfigured servers to spoof the packets, it gives the appearance that the attack is emanating from the target. The third-party servers unintentionally end up making the attacks ten times larger than how they started.
The CLDAP has witnessed a growing number of attacks over the last year. The CLDAP is another version of the Lightweight Directory Access Protocol (LDAP). It utilizes User Datagram Protocol packets that give access to users and discovers services when signing into Active Directory.
When researchers first discovered the misconfiguration in CLDAP servers in 2007, the numbers of affected targets were in the tens of thousands. However, the number dropped heavily when the administrator got to know about the issue. But it has started rising again, recording a rise of nearly 60% over the past year, the researchers at Black Lotus Labs stated.
What Administrators Should Do To Protect Their Systems
The security firm has offered some advice to network administrators and organizations running CLDAP to protect their servers.
Network administrators should not expose the CLDAP service to an open internet to prevent any intrusion from threat actors.
But if they had to expose the CLDAP service to the internet, they should be more comprehensive with the defense and security of the system. Administrators should also turn off the UDP services and try to gain access to the LDAP ping using the TCP
But if the MS Server does not support the LDAP ping on TCP, the administrator should minimize the traffic the 389/UDP service generates to prevent its use for DDoS.
Also, they can try limiting firewall access to the port to ensure that only clients with legitimate access can reach the service. This is a standard method of stopping DDoS attackers from sending a large amount of traffic to a single network to overload it. The method will help to limit DDoS attacks if the MS Service version does not support LDAP ping to TCP.
Additionally, the researchers have asked network defenders to implement strategies that will prevent spoofed IP traffic. Back Lotus has also informed administrators and assisted them in identifying some of the issues that are vulnerable in an IP space provided by Lumen. Microsoft has not reacted or commented on the situation yet.