I'm a cybersecurity researcher, studying netflow patterns to learn about reflective DDoS events that leverage CLDAP as a UDP reflection vector. I need to be able to distinguish between a windows client legitimately using the LDAP Ping to discover which Domain Controller it should use to authenticate AND reflected attack traffic.
I see things like one IP receiving responses from hundreds, and sometimes thousands, of services on 389/UDP (the reflection vector available on DC's). From my understanding, a windows client will send the LDAP Ping command to DC's, which it has discovered via DNS lookups, to find out which one it should use for authentication. My sense is that no valid MS networking setup would cause a client to talk to hundreds or thousands of DC's during this process.
Can someone give me some sense of what the typical number of DC's a client might reach out to during this process? or, if not typical, non-anomalous?
Additionally, is this something that a client would repeat very often? I've read that this process occurs on start up. That makes it sound like it's kind of rare.
More than happy to be pointed to reading material.