According to Black Lotus Labs, over 12,000 Windows Servers running Microsoft Domain Controller with Active Directory (AD) have been leveraged for the DDoS attacks. One of the biggest sources of the attacks is Connectionless Lightweight Directory Access Protocol (CLDAP). It taps into User Datagram Protocol packets to verify users when they sign into Active Directory. Because Windows Server has been sending out huge numbers of packets, threat actors have been able to develop attacks. Chad Davis, a researcher at Black Lotus says the following: “When these domain controllers are not exposed to the open Internet (which is true for the vast majority of the deployments), this UDP service is harmless. But on the open Internet, all UDP services are vulnerable to reflection.”

Management

It is worth noting that CLDAP is not a new protocol as it has been around since 2007 and used as an attack metric since then. Black Lotus provides the following advice for organizations running CLDAP:

“Network administrators: Consider not exposing CLDAP service (389/UDP) to the open Internet. If exposure of the CLDAP service to the open Internet is absolutely necessary, take pains to secure and defend the system: On versions of MS Server supporting LDAP ping on the TCP LDAP service, turn off the UDP service and access LDAP ping via TCP. If MS Server version doesn’t support LDAP ping on TCP, rate limit the traffic generated by the 389/UDP service to prevent use in DDoS. If MS Server version doesn’t support LDAP ping on TCP, firewall access to the port so that only your legitimate clients can reach the service. Network defenders: Implement some measures to prevent spoofed IP traffic, such as Reverse Path Forwarding (RPF), either loose or, if feasible, strict. For more guidance, the MANRS initiative offers in-depth discussion of anti-spoofing guidelines and real-world applications.”

Tip of the day: The Windows Clipboard history feature provides the functionality across device, space, and time, letting you copy on one computer and paste the text days later on a different PC. All of it is possible via the Windows 10 clipboard manager, which lets you view, delete, pin, and clear clipboard history at will. In our tutorial we show you how to enable the feature, clear clipboard history, and enable/disable clipboard sync to meet your preferences. You can also create a clear clipboard shortcut for quick removal of stored content.

Misconfigurations in Windows Server Led to DDoS Attacks - 40Misconfigurations in Windows Server Led to DDoS Attacks - 5Misconfigurations in Windows Server Led to DDoS Attacks - 45Misconfigurations in Windows Server Led to DDoS Attacks - 81Misconfigurations in Windows Server Led to DDoS Attacks - 6