Meet the Windows Servers that have been Fueling Massive DDoSes for Months
upstart writes:
Meet the Windows servers that have been fueling massive DDoSes for months:
A small retail business in North Africa, a North American telecommunications provider, and two separate religious organizations: What do they have in common? They're all running poorly configured Microsoft servers that for months or years have been spraying the Internet with gigabytes-per-second of junk data in distributed-denial-of-service attacks designed to disrupt or completely take down websites and services.
In all, recently published research from Black Lotus Labs, the research arm of networking and application technology company Lumen, identified more than 12,000 servers-all running Microsoft domain controllers hosting the company's Active Directory services-that were regularly used to magnify the size of distributed-denial-of-service attacks, or DDoSes.
For decades, DDoSers have battled with defenders in a constant, never-ending arms race. Early on, DDoSers simply corralled ever-larger numbers of Internet-connected devices into botnets and then used them to simultaneously send a target more data than they can handle. Targets-be they game companies, journalists, or even crucial pillars of Internet infrastructure-often buckled at the strain and either completely fell over or slowed to a trickle.
Companies like Lumen, Netscout, Cloudflare, and Akamai then countered with defenses that filtered out the junk traffic, allowing their customers to withstand the torrents. DDoSers responded by rolling out new types of attacks that temporarily stymied those defenses. The race continues to play out.
One of the chief methods DDoSers use to gain the upper hand is known as reflection. Rather than sending the torrent of junk traffic to the target directly, DDoSers send network requests to one or more third parties. By choosing third parties with known misconfigurations in their networks and spoofing the requests to give the appearance they were sent by the target, the third parties end up reflecting the data at the target, often in sizes that are tens, hundreds, or even thousands of times bigger than the original payload.
What should the response be to those who run misconfigured servers? Should we try to help them secure their servers (at their cost, of course) or should the servers be shut down?
Read more of this story at SoylentNews.