Article Details

New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP. A novel attack technique could be weaponized to rope thousands of public domain controllers (DCs) around the world to create a malicious botnet and use it to conduct power distributed denial-of-service (DDoS) attacks. The approach has been codenamed Win-DDoS by SafeBreach researchers Or Yair and Shahak Morag, who presented their findings at the DEF CON 33 security conference today. "As we explored the intricacies of the Windows LDAP client code, we discovered a significant flaw that allowed us to manipulate the URL referral process to point DCs at a victim server to overwhelm it," Yair and Morag said in a report shared with The Hacker News. "As a result, we were able to create Win-DDoS, a technique that would enable an attacker to harness the power of tens of thousands of public DCs around the world to create a malicious botnet with vast resources and upload rates. All without purchasing anything and without leaving a traceable footprint." In transforming DCs into a DDoS bot without the need for code execution or credentials, the attack essentially turns the Windows platform into becoming both the victim and the weapon. The attack flow is as follows - "Once the TCP connection is aborted, the DCs continue to the next referral on the list, which points to the same server again," the researchers said. "And this behavior repeats itself until all the URLs in the referral list are over, creating our innovative Win-DDoS attack technique." What makes Win-DDoS significant is that it has high bandwidth and does not require an attacker to purchase dedicated infrastructure. Nor does it necessitate them to breach any devices, thereby allowing them to fly under the radar. Further analysis of the LDAP client code referral process has revealed that it's possible to trigger an LSASS crash, reboot, or a blue screen of death (BSoD) by sending lengthy referral lists to DCs by taking advantage of the fact that there are no limits on referral list sizes and referrals are not released from the DC's heap memory until the information is successfully retrieved. On top of that, the transport-agnostic code that's executed to server client requests has been found to harbor three new denial-of-service (DoS) vulnerabilities that can crash domain controllers without the need for authentication, and one additional DoS flaw that provides any authenticated user with the ability to crash a domain controller or Windows computer in a domain. The identified shortcomings are listed below - Like the LDAPNightmare (CVE-2024-49113) vulnerability detailed earlier this January, the latest findings show that there exist blind spots in Windows that could be targeted and exploited, crippling business operations. "The vulnerabilities we discovered are zero-click, unauthenticated vulnerabilities that allow attackers to crash these systems remotely if they are publicly accessible, and also show how attackers with minimal access to an internal network can trigger the same outcomes against private infrastructure," the researchers said. "Our findings break common assumptions in enterprise threat modeling: that DoS risks only apply to public services, and that internal systems are safe from abuse unless fully compromised. The implications for enterprise resilience, risk modeling, and defense strategies are significant."