HomeWinBuzzer NewsMisconfigurations in Windows Server Led to DDoS Attacks

Misconfigurations in Windows Server Led to DDoS Attacks

Security researchers say a Windows Server configuration error is dumping packets that allow threat actors to mount DDoS attacks.


Security researchers say misconfigurations have been causing servers to be at risk from distributed denial of service (DDoS) attacks. So far, attacks have been seen targeting organizations.

According to Black Lotus Labs, over 12,000 Windows Servers running Microsoft Domain Controller with Active Directory (AD) have been leveraged for the DDoS attacks.

One of the biggest sources of the attacks is Connectionless Lightweight Directory Access Protocol (CLDAP). It taps into User Datagram Protocol packets to verify users when they sign into Active Directory.

Because Windows Server has been sending out huge numbers of packets, threat actors have been able to develop attacks.

Chad Davis, a researcher at Black Lotus says the following:

“When these domain controllers are not exposed to the open Internet (which is true for the vast majority of the deployments), this UDP service is harmless. But on the open Internet, all UDP services are vulnerable to reflection.”


It is worth noting that CLDAP is not a new protocol as it has been around since 2007 and used as an attack metric since then.

Black Lotus provides the following advice for organizations running CLDAP:

  • “Network administrators: Consider not exposing CLDAP service (389/UDP) to the open Internet.
    • If exposure of the CLDAP service to the open Internet is absolutely necessary, take pains to secure and defend the system:
      • On versions of MS Server supporting LDAP ping on the TCP LDAP service, turn off the UDP service and access LDAP ping via TCP.
      • If MS Server version doesn't support LDAP ping on TCP, rate limit the traffic generated by the 389/UDP service to prevent use in DDoS.
      • If MS Server version doesn't support LDAP ping on TCP, firewall access to the port so that only your legitimate clients can reach the service.
  • Network defenders: Implement some measures to prevent spoofed IP traffic, such as Reverse Path Forwarding (RPF), either loose or, if feasible, strict. For more guidance, the MANRS initiative offers in-depth discussion of anti-spoofing guidelines and real-world applications.”

Tip of the day: The Windows Clipboard history feature provides the functionality across device, space, and time, letting you copy on one computer and paste the text days later on a different PC. All of it is possible via the clipboard manager, which lets you view, delete, pin, and clear clipboard history at will.

In our tutorial we show you how to enable the feature, clear clipboard history, and enable/disable clipboard sync to meet your preferences. You can also create a clear clipboard shortcut for quick removal of stored content.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News