During the security conference DEF CON33, a team of industry specialists, Yair and Shahak Morag, from SafeBreach Labs, presented a novel category of denial-of-service (DoS) attacks they’ve dubbed the “Win-DoS Epidemic.” The research demonstrates how attackers can take down any Windows endpoint or server, including critical domain controllers (DCs), and even weaponize public DCs to create a large-scale DDoS botnet.
Their findings, which include four Windows DoS vulnerabilities and a Distributed Denial-of-Service (DDoS) attacks that can be activated without a click were presented by the two researchers. The discovered flaws, all classified as “uncontrolled resource consumption,” include:
A successful DoS attack against a DC can cripple an entire organization, making it impossible for users to log in, access resources, or perform daily operations. “Introducing the ‘Win-DoS Epidemic’: DoS tools that exploit four new zero-click Win-DoS vulnerabilities and one Win-DDoS! They crash any Windows endpoint/server, including DCs, or launch a botnet using public DCs for DDoS attacks. The epidemic has begun,” the researchers said.
Domain controllers form the backbone of most enterprise networks, handling authentication and centralizing user and resource management. The researchers’ work builds on their previous discovery, the LdapNightmare vulnerability (CVE-2024-49113), which was the first public DoS exploit for a Windows domain controller. The new findings significantly expand this threat, going beyond just LDAP to abuse other core Windows services.
This behavior allows an attacker to harness the immense power of tens of thousands of public DCs around the world, turning them into a massive, free, and untraceable DDoS botnet. The attack requires no special infrastructure and leaves no forensic traces, as the malicious activity originates from the compromised DCs, not the attacker’s computer.
The most alarming discovery is the new DDoS technique, which researchers have dubbed Win-DDoS. This attack exploits a flaw in the Windows LDAP client referral process. In normal operation, an LDAP referral directs a client to a different server to fulfill a request. Yair and Morag discovered that by manipulating this process, they could redirect DCs to a victim server, and crucially, they found a way to cause the DCs to incessantly repeat this redirection.
This technique represents a significant shift in DDoS attacks, enabling high-bandwidth, high-volume attacks without the typical costs or risks associated with setting up and maintaining a botnet.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
