Ethical Hacking News
A new DDoS attack technique has been discovered by SafeBreach researchers, which enables attackers to harness tens of thousands of public domain controllers into a malicious botnet via RPC and LDAP. This vulnerability allows attackers to conduct devastating DDoS attacks without purchasing dedicated infrastructure or leaving a traceable footprint.
Win-DDoS is a novel attack technique that exploits a flaw in Windows LDAP client code to turn public domain controllers into malicious botnets via Remote Procedure Call (RPC) and Lightweight Directory Access Protocol (LDAP). The attack allows attackers to harness the power of tens of thousands of public domain controllers worldwide to conduct devastating Distributed Denial-of-Service (DDoS) attacks without purchasing anything. Win-DDoS involves several steps, including triggering DCs to become CLDAP clients and sending LDAP queries over TCP to overwhelm a victim server. The attack creates a Win-DDoS botnet with vast resources and upload rates, making it a significant threat to enterprise resilience and risk modeling. The identified vulnerabilities have high CVSS scores (7.5) and are considered zero-click, unauthenticated vulnerabilities that allow attackers to crash systems remotely if they are publicly accessible.
SafeBreach researchers Or Yair and Shahak Morag have made a groundbreaking discovery that exposes a novel attack technique, codenamed Win-DDoS, which enables attackers to turn public domain controllers into malicious botnets via Remote Procedure Call (RPC) and Lightweight Directory Access Protocol (LDAP). This significant vulnerability allows attackers to harness the power of tens of thousands of public domain controllers worldwide to conduct devastating Distributed Denial-of-Service (DDoS) attacks.
The attack technique is based on exploiting a flaw in the Windows LDAP client code, which allows an attacker to manipulate the URL referral process to point DCs at a victim server to overwhelm it. This results in the creation of Win-DDoS, a technique that enables an attacker to harness the power of tens of thousands of public domain controllers around the world to create a malicious botnet with vast resources and upload rates. All without purchasing anything and without leaving a traceable footprint.
According to the researchers, this attack flow involves several steps:
1. The attacker sends an RPC call to DCs that triggers them to become CLDAP clients.
2. The DCs send the CLDAP request to the attacker's CLDAP server, which then returns a referral response that refers the DCs to the attacker's LDAP server in order to switch from UDP to TCP.
3. The DCs then send an LDAP query to the attacker's LDAP server over TCP.
4. The attacker's LDAP server responds with an LDAP referral response containing a long list of LDAP referral URLs, all of which point to a single port on a single IP address.
5. The DCs send an LDAP query on that port, causing the web server that may be served via the port to close the TCP connection.
This behavior repeats itself until all the URLs in the referral list are exhausted, creating a devastating Win-DDoS attack technique. What makes Win-DDoS significant is that it has high bandwidth and does not require an attacker to purchase dedicated infrastructure. Nor does it necessitate them to breach any devices, thereby allowing them to fly under the radar.
Furthermore, further analysis of the LDAP client code referral process has revealed that it's possible to trigger an LSASS crash, reboot, or a blue screen of death (BSoD) by sending lengthy referral lists to DCs. This is achieved by taking advantage of the fact that there are no limits on referral list sizes and referrals are not released from the DC's heap memory until the information is successfully retrieved.
On top of that, the transport-agnostic code executed to server client requests has been found to harbor three new denial-of-service (DoS) vulnerabilities that can crash domain controllers without the need for authentication. Additionally, one additional DoS flaw has been discovered that provides any authenticated user with the ability to crash a domain controller or Windows computer in a domain.
The identified shortcomings are listed below:
* CVE-2025-26673 (CVSS score: 7.5) - Uncontrolled resource consumption in Windows Lightweight Directory Access Protocol (LDAP) allows an unauthorized attacker to deny service over a network.
* CVE-2025-32724 (CVSS score: 7.5) - Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.
* CVE-2025-49716 (CVSS score: 7.5) - Uncontrolled resource consumption in Windows Netlogon allows an unauthorized attacker to deny service over a network.
* CVE-2025-49722 (CVSS score: 5.7) - Uncontrolled resource consumption in Windows Print Spooler Components allows an authorized attacker to deny service over an adjacent network.
The researchers also highlighted that these vulnerabilities were zero-click, unauthenticated vulnerabilities that allowed attackers to crash systems remotely if they were publicly accessible, and also showed how attackers with minimal access to an internal network could trigger the same outcomes against private infrastructure.
"This vulnerability breaks common assumptions in enterprise threat modeling: that DoS risks only apply to public services, and that internal systems are safe from abuse unless fully compromised," the researchers said. "The implications for enterprise resilience, risk modeling, and defense strategies are significant."
Related Information:
https://www.ethicalhackingnews.com/articles/New-DDoS-Flaws-in-Public-Domain-Controllers-Allow-Attackers-to-Harness-Global-Infrastructure-ehn.shtml
https://thehackernews.com/2025/08/new-win-ddos-flaws-let-attackers-turn.html
Published: Sun Aug 10 15:37:13 2025 by llama3.2 3B Q4_K_M
