How to Turn Domain Controllers into DDoS Bots via RPC

TLDR: Researchers at DEF CON 2025 demonstrated how to weaponize Windows RPC interfaces and LDAP client code to turn domain controllers into unwitting participants in large-scale DDoS attacks. By exploiting flaws in how these services handle referral packets and memory allocation, an attacker can trigger a system-wide crash or orchestrate a distributed attack without needing prior authentication. This research highlights a critical blind spot in how developers handle network-level security within core Windows processes.

Active Directory environments are often treated as the ultimate fortress, but this research proves that the very protocols designed to keep them running are also their greatest liability. When we talk about denial-of-service, we usually think about flooding a web server with HTTP requests. This research shifts that perspective to the internal infrastructure, showing that core Windows processes like LSASS and the print spooler can be coerced into performing resource-intensive tasks that lead to a complete system collapse.

The LDAP Nightmare: Coercing Domain Controllers

The research centers on a fundamental flaw in how Windows handles LDAP referrals. When a domain controller acts as an LDAP client, it is designed to follow referrals to other servers if it lacks the requested information. The researchers discovered that this process can be manipulated. By sending a specially crafted LDAP referral packet with invalid values, an attacker can force the domain controller to crash.

This vulnerability, tracked as CVE-2024-49113, is particularly dangerous because it requires no authentication. An attacker on the network can simply send the malicious packet to a domain controller, triggering a crash of the LSASS process. Since LSASS is a critical system process, its failure results in an immediate system reboot, effectively taking the domain controller offline.

The mechanism is elegant in its simplicity. The LDAP client code in wldap32.dll fails to properly validate the referral packets it receives. By providing a list of referrals that point to a target, the attacker can force the domain controller to initiate connections to that target. If the attacker provides a massive list of these referrals, they can effectively turn the domain controller into a bot in a DDoS network.

Weaponizing RPC for Resource Exhaustion

Beyond LDAP, the researchers turned their attention to RPC interfaces. Microsoft’s documentation for RPC explicitly states that it is designed to abstract away network details so developers can focus on application logic. This abstraction is exactly where the security failure occurs. Developers often assume that because they are working within the RPC framework, they do not need to worry about the underlying network-level security risks.

The researchers identified several RPC functions that are vulnerable to resource exhaustion, including those in the NetLogon interface and the print spooler. For example, CVE-2025-49722 affects the RpcEnumPrinters function in spoolsv.exe. By manipulating the Name parameter, an attacker can force the spooler service to allocate massive amounts of memory.

The "stateless RPC" technique developed by the team is particularly clever. By sending a bind request and an RPC call in a single packet, they bypass the need to wait for a bind acknowledgment. This allows an attacker to flood the target with requests at a rate that far exceeds the server's ability to process them.

# Conceptual payload for stateless RPC attack
# This bypasses the bind acknowledgment wait time
packet = build_bind_request(uuid) + build_rpc_call(function_id, parameters)
send_packet(target_ip, packet)

Real-World Impact for Pentesters

For those of us conducting red team engagements, these findings are a goldmine. You no longer need to find a complex RCE to disrupt an organization. If you have network access to a domain controller, you have the ability to take it down. The fact that these attacks are unauthenticated means they can be executed from a compromised workstation or even a rogue device plugged into the network.

During an engagement, you should look for RPC interfaces that are exposed and do not require high-level privileges to access. The researchers have released their proof-of-concept code on GitHub, which provides a starting point for testing these vulnerabilities in a controlled environment. When testing, always be mindful of the impact; these are not "soft" crashes. They will trigger a Blue Screen of Death (BSOD) and force a reboot, which is a significant disruption in any production environment.

Defensive Considerations

Defending against these attacks requires a shift in how we view internal network traffic. Traditional perimeter defenses are insufficient because these attacks originate from within the network. Organizations should implement strict network segmentation to limit access to domain controllers and other critical infrastructure.

Furthermore, monitoring for unusual RPC traffic patterns is essential. Tools like Wireshark can be used to capture and analyze traffic for the specific packet structures associated with these exploits. If you see a sudden spike in LDAP referral traffic or a high volume of RPC bind requests from a single source, it is a strong indicator of an ongoing attack.

The "Win-DoS" epidemic is a stark reminder that even the most fundamental components of an operating system can harbor critical vulnerabilities. As researchers, our job is to find these gaps before they are exploited by those with less noble intentions. The next time you are looking at an RPC interface, don't just look for an RCE. Look for the ways you can make the system work against itself. The most effective attacks are often the ones that use the system's own design to bring it down.