Win-DoS & Win-DDoS: Turning Your Domain Controllers into Attack Dogs

Researchers at SafeBreach have uncovered a disturbing new attack technique that doesn’t rely on malware, stolen passwords, or tricking anyone into clicking a link.
Instead, it abuses built-in Windows features to:

• Crash your Windows Domain Controllers (DoS)
• Hijack them to unleash massive DDoS attacks against others

It is just like you convincing your “security guard” to throw bricks at someone else’s house.

Attack Technique – Technical Breakdown

1. Target Enumeration
   
    
   • Adversaries perform internet-wide scans for TCP ports associated with MS-RPC services (e.g., 135, 389, 445, 49664+ dynamic range).
    
   • Focus is on DCs with LDAP, LSASS, Netlogon, or Print Spooler services exposed to the public internet.
2. Exploitation Vector (Win-DoS phase)
   
    
3. A specially crafted RPC request is sent to a vulnerable endpoint:
    
   • LDAP (CVE-2025-26673) – Resource exhaustion via repeated LDAP binds/queries
    
   • LSASS (CVE-2025-32724) – Memory exhaustion via malformed requests
    
   • Netlogon (CVE-2025-49716) – Session flooding causing CPU spikes
    
   • Print Spooler  (CVE-2025-49722 – Task queue saturation leading to service crash
      
   • All except Print Spooler are unauthenticated, meaning the attacker does not need valid credentials.
4. Service Hijacking (Win-DDoS phase)
   
    
   • Instead of exhausting resources locally, the RPC call abuses CLDAP referrals to instruct the DC to repeatedly query a third-party IP.
    
   • Each referral generates amplified outbound traffic (~3–5x original packet size), creating a reflection/amplification DDoS effect.
    
   • Multiple hijacked DCs can be chained for sustained high-bandwidth attacks
5. Evasion Characteristics
   
    
   • No persistent payload or malware  is dropped.
    
   • Traffic originates from legitimate DC services/protocols (LDAP, CLDAP, RPC), blending into normal operations.
    
   • Logs may only show “failed connection” or “query” entries, not explicit attack indicators.

Why This Matters

• Infrastructure abuse – The adversary weaponizes your own authentication servers.
• No traditional compromise – Firewalls, EDR, and anti-virus may not detect anything unusual.
• Amplification potential – A few thousand DCs could generate terabit-scale attacks.
• Attribution challenges – Attacks appear to come from legitimate corporate networks.

Detection

• Monitor outbound CLDAP traffic to unexpected IP ranges.
• Flag high-frequency LDAP binds/queries without matching authentication events.
• Alert on unusual RPC activity from public IPs hitting DCs directly.

Mitigations

1. Patch immediately: Apply Microsoft’s April, June, and July 2025 security updates for CVE-2025-26673, CVE-2025-32724, CVE-2025-49716, CVE-2025-49722.
2. Remove public exposure: Restrict RPC, LDAP, and Netlogon ports to trusted IP ranges.
3. Apply RPC filtering : Use Windows Firewall and ACLs to enforce RPC access rules.
4. Implement DDoS protection: Include detection for LDAP/CLDAP amplification patterns.