Win-DDoS and it’s procedure
A novel attack technique can be weaponized to rope thousands of public domain controllers (DCs) around the world, thereby creating a malicious botnet that can conduct powerful distributed denial-of-service (DDoS) attacks.
SafeBreach researchers Or Yair and Shahak Morag have codenamed the approach Win-DDoS and presented their findings at the DEF CON 33 security conference.
“As we explored the intricacies of the Windows LDAP client code, we discovered a significant flaw that allowed us to manipulate the URL referral process to point DCs at a victim server to overwhelm it,” Yair and Morag said in a report shared with The Hacker News.
“As a result, we were able to create Win-DDoS, a technique that would enable an attacker to harness the power of tens of thousands of public DCs around the world to create a malicious botnet with vast resources and upload rates. All without purchasing anything and without leaving a traceable footprint.”
In transforming DCs into a DDoS bot without the need for code execution or credentials, the attack essentially turns the Windows platform into both the victim and the weapon. The attack flow unfolds as follows:
- The attacker sends an RPC call to DCs, which triggers them to become CLDAP clients.
- DCs send the CLDAP request to the attacker’s CLDAP server, which then returns a referral response that directs the DCs to the attacker’s LDAP server in order to switch from UDP to TCP.
- DCs then send the LDAP query to the attacker’s LDAP server over TCP.
- The attacker’s LDAP server responds with an LDAP referral response containing a long list of LDAP referral URLs, all of which point to a single port on a single IP address.
- DCs send an LDAP query on that port, which causes the web server served via the port to close the TCP connection.
“Once the TCP connection is aborted, the DCs continue to the next referral on the list, which points to the same server again,” the researchers said. “And this behavior repeats itself until all the URLs in the referral list are over, creating our innovative Win-DDoS attack technique.”
More powerful than you think
What makes Win-DDoS significant is that it possesses high bandwidth and does not require an attacker to purchase dedicated infrastructure. Furthermore, it does not necessitate breaching any devices, thereby allowing attackers to fly under the radar.
Further analysis of the LDAP client code referral process has revealed that it is possible to trigger an LSASS crash, reboot, or a blue screen of death (BSoD) by sending lengthy referral lists to DCs. This takes advantage of the fact that there are no limits on referral list sizes, and the DC’s heap memory does not release referrals until the system successfully retrieves the information.
Win-DDoS turns this behavior on its head by providing a machine with a referral list that refers to a victim to be targeted, instead of crashing the system by providing it with a huge amount of referrals that can exhaust the domain controller’s resources. This opens the door to a scenario where public Domain Controllers worldwide can be targeted to send LDAP packets to any IP and port of the attacker’s choosing.
Given that domain controllers rely heavily on RPC to function—particularly for authentication, user management, and service management—SafeBreach found that it is possible to employ a denial-of-service (DoS) technique called TorpeDoS against RPC servers.
“TorpeDoS is a technique that we invented which creates the impact of a DDoS, but from a single computer,” SafeBreach told The Hacker News. “It doesn’t use many different computers worldwide to create a DDoS; it just improves the efficiency of RPC-call-rate by so much that the impact of a single computer implementing TorpeDoS is equivalent to the impact of a DDoS attack made by tens of thousands of computers.”
More DDoS vulnerabilities
On top of that, the transport-agnostic code that executes to serve client requests has three new denial-of-service (DoS) vulnerabilities that can crash domain controllers without requiring authentication. Additionally, there is one more DoS flaw that provides any authenticated user with the ability to crash a domain controller or Windows computer within a domain.
The identified shortcomings are as follows:
- CVE-2025-26673 (CVSS score: 7.5) – Uncontrolled resource consumption in Windows Lightweight Directory Access Protocol (LDAP) allows an unauthorized attacker to deny service over a network. (Fixed in May 2025)
- CVE-2025-32724 (CVSS score: 7.5) – Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network. (Fixed in June 2025)
- CVE-2025-49716 (CVSS score: 7.5) – Uncontrolled resource consumption in Windows Netlogon allows an unauthorized attacker to deny service over a network. (Fixed in July 2025)
- CVE-2025-49722 (CVSS score: 5.7) – Uncontrolled resource consumption in Windows Print Spooler Components allows an authorized attacker to deny service over an adjacent network. (Fixed in July 2025)
Like the LDAPNightmare (CVE-2024-49113) vulnerability detailed earlier this January, the latest findings reveal that blind spots exist in Windows that attackers could target and exploit, crippling business operations.
“The vulnerabilities we discovered are zero-click, unauthenticated vulnerabilities that allow attackers to crash these systems remotely if they are publicly accessible. They also show how attackers with minimal access to an internal network can trigger the same outcomes against private infrastructure,” the researchers said.
“Our findings break common assumptions in enterprise threat modeling: that DoS risks only apply to public services and that internal systems remain safe from abuse unless fully compromised. The implications for enterprise resilience, risk modeling, and defense strategies are significant.”
Source: TheHackerNews
Read more at Impreza News
