New ‘Win-DDoS’ Attack Turns Windows Servers Into a Global Botnet
At DEF CON 33, researchers from SafeBreach unveiled a new attack technique dubbed Win-DDoS, capable of transforming thousands of publicly accessible domain controllers (DCs) worldwide into a powerful botnet for large-scale DDoS attacks. The method requires no hardware purchase, code injection, or system compromise—making it exceptionally dangerous and leaving virtually no trace.
Win-DDoS exploits a quirk in the Windows LDAP client. The researchers discovered a vulnerability that allows the interception and manipulation of URL redirection handling, forcing domain controllers to repeatedly connect to a target server. This sustained connection overloads the victim’s resources, effectively triggering a DDoS attack.
To execute the attack, an adversary sends an RPC request that turns domain controllers into CLDAP clients. These then connect to the attacker’s CLDAP server, which responds with a reference to an LDAP server. That LDAP server returns an extensive list of LDAP URLs all pointing to the same IP address and port. Upon connection closure, the domain controller retries, iterating through the list, and repeatedly hitting the same destination—generating a continuous flood of traffic.
This approach stands out for its high throughput and the complete absence of any need to compromise devices. Moreover, analysis of the LDAP redirection code revealed that sending excessively long address lists could crash the LSASS service, cause a system reboot, or trigger a Blue Screen of Death. The root cause lies in the absence of size restrictions on the list, with memory allocated for it being freed only upon successful request completion.
The researchers also uncovered several additional flaws capable of taking domain controllers offline without authentication. These include three resource exhaustion vulnerabilities leading to remote denial-of-service and one similar issue exploitable by an authenticated user.
The vulnerabilities have been assigned the following identifiers: CVE-2025-26673 (LDAP, patched May 2025), CVE-2025-32724 (LSASS, patched June 2025), CVE-2025-49716 (Netlogon, patched July 2025), and CVE-2025-49722 (Print Spooler Components, patched July 2025). All can be weaponized against both publicly exposed and internal services, challenging the long-standing assumption that DoS threats apply only to externally facing systems.
The team emphasizes that these defects fall into the zero-click category, enabling attacks on remote systems without any action from administrators or end users. Such capabilities open the door for adversaries to cripple both corporate and government infrastructures, forcing organizations to reevaluate their threat models and defensive strategies to account for scenarios of this nature.
