Win-DDoS Flaws Threaten Domain Controllers

Security researchers warn of four Windows flaws that abuse RPC and LDAP to convert public domain controllers into a stealth DDoS botnet, with patches released in 2025.

Win-DDoS Flaws Turn Public Domain Controllers Into DDoS Botnet

Researchers from SafeBreach describe Win-DDoS as a new technique that exploits LDAP and CLDAP referral flows to coax domain controllers into contacting an attacker controlled server. The DCs then forward LDAP queries to the attacker server and follow a list of referrals that directs traffic to a single IP and port, creating a coordinated source of traffic. The method does not require code execution or stolen credentials, making it easier for attackers to trigger a large scale effect.

Microsoft fixed the flaws in 2025, addressing several CVEs tied to LDAP LSASS Netlogon and Print Spooler. The researchers warn that these flaws can crash controllers or force reboots when attackers feed long referral lists, and that the attack can be carried out against systems exposed on the internet. The findings challenge the idea that DoS risks are limited to public services and show how internal infrastructure can be misused to harm business operations.

Win-DDoS highlights a shift in threat modeling, where internal services become weapons. It shows that trust within the network can be exploited as easily as trust on the outside. The report urges defenders to watch not just external access points but also how referral flows and heap memory are managed in domain controllers.

The patching race is real. Enterprises must balance rapid updates with stability, while adding monitoring for referral traffic and enforcing tighter segmentation of domain controllers. The attack underscores the need for better visibility into identity services and for designs that limit the ripple effect of a single misconfigured referral.

Highlights

Patching is essential, but so is rethinking internal trust and monitoring.