These Microsoft servers are helping fuel massive DDoS attacks
>
It has been discovered that more than 12,000 poorly configured Microsoft servers have been exploited to run impressively powerful distributed denial-of-service (DDoS). (opens in new tab)) to attack.
Cybersecurity researchers at Black Lotus Labs discovered a total of 12,142 servers with Microsoft domain controllers hosting the company’s Active Directory services, which were used by multiple malware variants to increase the scope of DDoS attacks.
The servers belong to all kinds of organizations, from religious in North America to commercial entities in North Africa.
Abused for months
Some of the most powerful exceeded 10 Gbps in junk traffic and even reached 17 Gbps, the researchers said. Speak with Ars Technica in an email, Chad Davis, a researcher at Black Lotus Lab, said the traffic was strong enough to “DoS on its own” some less well-equipped servers. “In theory, a hundred of these, working together, could generate a Terabit per second of attack traffic,” he said.
Some of these servers were abused for months, researchers found. One, discovered in North America, broadcast junk traffic for 18 months, peaking at 2 Gbps.
How were they able to produce such a high output? By serving as amplifiers or reflectors. Instead of using the compromised server endpoints (opens in new tab) to send junk traffic directly to the targets, and thus run the risk of being noticed, attackers would first send network requests to third parties. If those third parties in their networks were misconfigured, as these servers were, the requests could be spoofed as if they were coming from those third parties themselves. Not only that, but the servers can render the data on the target in sizes thousands of times larger than the original payload.
According to Ars Technicasome of the more popular reflectors are misconfigured servers with open DNS resolvers, the network time protocol, Memcached for database caching, and the WS-Discovery protocol commonly found in IoT devices.
More recently, threat actors began using the Connectionless Lightweight Directory Access Protocol (CLDAP) as a source of reflection attacks. As Microsoft’s variant of the Lightweight Directory Access Protocol, CLDAP uses User Datagram Protocol packages to allow Windows clients to discover services for authenticating users, the publication said. Apparently, threat actors have been using this protocol for five years now, magnifying data torrents up to 70 times.
The full report can be found at this link (opens in new tab).
Through: Ars Technica (opens in new tab)