More than 12,000 poorly configured Microsoft servers have been discovered being abused to conduct impressively potent distributed denial of service (DDoS (opens in new tab)) attacks.

Cybersecurity researchers from Black Lotus Labs uncovered a total of 12,142 servers sporting Microsoft domain controllers hosting the company’s Active Directory services that were being used by multiple malware variants to magnify the size of DDoS attacks. 

The servers belong to all sorts of organizations, from religious ones in North America, to commercial entities in North Africa. 

Abused for months

Some of the most powerful ones exceeded 10Gbps in junk traffic, and reached as high as 17Gbps, the researchers said. Speaking to Ars Technica in an email, Black Lotus Lab researcher Chad Davis said the traffic was strong enough to DoS some less well-provisioned servers “all by itself”. “In theory, a hundred of these, working in unison, could generate a Terabit per second of attack traffic,” he said.

Some of these servers were abused for months, researchers further found. One, discovered in North America, was sending out gigs of junk traffic for 18 months, peaking at 2Gbps. 

How were they able to produce such high output? By serving as amplifiers, or reflectors. Instead of using the compromised server endpoints (opens in new tab) to send junk traffic to the targets directly, and thus risk being spotted, attackers would send network requests to third parties, first. If those third parties were misconfigured in their networks, in the way these servers were, the requests could be spoofed as if they were coming from those third parties themselves. Not only that, but the servers could reflect the data at the target in sizes thousands of times bigger than the original payload. 

According to Ars Technica, some of the more popular reflectors are misconfigured servers running open DNS resolvers, the network time protocol, Memcached for database caching, and the WS-Discovery protocol usually found in IoT devices. 

More recently, threat actors started using the Connectionless Lightweight Directory Access Protocol (CLDAP) as a source of reflection attacks. As Microsoft’s variant of the Lightweight Directory Access Protocol, CLDAP uses User Datagram Protocol packets so Windows clients can discover services for authenticating users, the publication explained. Apparently, threat actors have been using this protocol for five years now, magnifying data torrents by up to 70 times.