0

I'm a cybersecurity researcher, studying netflow patterns to learn about reflective DDoS events that leverage CLDAP as a UDP reflection vector. I need to be able to distinguish between a windows client legitimately using the LDAP Ping to discover which Domain Controller it should use to authenticate AND reflected attack traffic.

I see things like one IP receiving responses from hundreds, and sometimes thousands, of services on 389/UDP (the reflection vector available on DC's). From my understanding, a windows client will send the LDAP Ping command to DC's, which it has discovered via DNS lookups, to find out which one it should use for authentication. My sense is that no valid MS networking setup would cause a client to talk to hundreds or thousands of DC's during this process.

Can someone give me some sense of what the typical number of DC's a client might reach out to during this process? or, if not typical, non-anomalous?

Additionally, is this something that a client would repeat very often? I've read that this process occurs on start up. That makes it sound like it's kind of rare.

More than happy to be pointed to reading material.

subbarayudu bandi
  • 51
  • 2
chad
  • 429
  • 1
  • 4
  • 8

1 Answers1

2

Can someone give me some sense of what the typical number of DC's a client might reach out to during this process?

No-one can provide this answer. It depends on numerous factors, such as how many there are, how DNS records are published, if a client is in a site, site link weights and priorities, ... .

Note that when a client is not in a site, it is also completely normal to test any and all domain controllers, and use any domain controller for authentication.

The DC Locator Process is extensively documented and easily measured.

https://social.technet.microsoft.com/wiki/contents/articles/24457.how-domain-controllers-are-located-in-windows.aspx

Greg Askew
  • 34,339
  • 3
  • 52
  • 81