Security researchers have unveiled a new attack technique dubbed "Win-DDoS" that can transform vulnerable Windows domain controllers (DCs) into a powerful botnet for launching devastating Distributed Denial-of-Service (DDoS) attacks. This novel method, presented at the DEF CON 33 security conference, exploits flaws in Windows' Lightweight Directory Access Protocol (LDAP) client code and Remote Procedure Call (RPC) framework, allowing attackers to weaponize publicly accessible DCs without needing code execution or credentials.

Win-DDoS: A New Threat to Network Infrastructure

The Win-DDoS technique allows attackers to manipulate the URL referral process within Windows' LDAP client code. By sending specially crafted RPC calls, attackers can trick DCs into becoming CLDAP clients. These clients then connect to an attacker-controlled CLDAP server, which issues a referral to an attacker-controlled LDAP server. This LDAP server responds with an extensive list of referral URLs, all pointing to a single IP address and port. Each referral triggers repeated TCP connections to the target, overwhelming it with traffic and causing a denial-of-service. This method is particularly concerning due to its high bandwidth potential and the fact that it requires no compromised infrastructure, allowing attackers to operate stealthily.

Key Takeaways

• Weaponized Domain Controllers: Attackers can turn public Windows domain controllers into a botnet for DDoS attacks.

• Zero-Click Exploitation: The technique does not require code execution or credentials, making it highly stealthy.

• LDAP and RPC Vulnerabilities: Exploits flaws in Windows' LDAP client code and RPC framework.

• Stealthy and Potent: Offers high bandwidth and requires no compromised infrastructure.

• System Instability: Can also lead to LSASS crashes, reboots, or Blue Screens of Death (BSODs).

Exploited Vulnerabilities and Their Impact

SafeBreach researchers identified several critical vulnerabilities that enable the Win-DDoS attack:

• CVE-2025-26673 (CVSS 7.5): Uncontrolled resource consumption in Windows LDAP, allowing unauthenticated attackers to deny service.

• CVE-2025-32724 (CVSS 7.5): Uncontrolled resource consumption in Windows LSASS, enabling unauthenticated attackers to deny service.

• CVE-2025-49716 (CVSS 7.5): Uncontrolled resource consumption in Windows Netlogon, allowing unauthenticated attackers to deny service.

• CVE-2025-49722 (CVSS 5.7): Uncontrolled resource consumption in Windows Print Spooler Components, allowing authenticated attackers to deny service.

These flaws, some of which are zero-click and unauthenticated, can be exploited remotely against publicly accessible DCs or by authenticated users against internal infrastructure. The researchers highlighted that these vulnerabilities can cause systems to crash, reboot, or trigger a BSOD by overwhelming the DC's resources with lengthy referral lists, as there are no limits on referral list sizes and memory is not released until information retrieval is successful.

Broader Implications for Enterprise Security

The discovery of Win-DDoS challenges common assumptions in enterprise threat modeling, particularly the belief that DoS risks are limited to public-facing services and that internal systems are inherently safe. The ability to remotely crash domain controllers or other Windows endpoints, even with minimal access to an internal network, has significant implications for enterprise resilience, risk modeling, and defense strategies. Organizations are urged to apply the latest security patches from Microsoft, limit the exposure of domain controller services, segment critical systems, and actively monitor for unusual LDAP or RPC traffic to detect and mitigate such attacks.

Sources

• New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP, The Hacker News.

• Silent Cyber Weapon Discovered: Hackers Can Now Turn Your Windows Server into a DDoS Weapon, The420.in.

• ‘Win-DDoS’: Researchers unveil botnet technique exploiting Windows domain controllers, CSO Online.