Ars Technica covers a recently published research from Black Lotus Labs, the research arm of networking and application technology company Lumen, which identified more than 12,000 servers—all running Microsoft domain controllers hosting the company’s Active Directory services—that were regularly used to magnify the size of distributed-denial-of-service attacks.
Since at least 2017, the attacks leveraging Connectionless Lightweight Directory Access Protocol magnify data torrents by a factor of 56 to 70, making it among the more powerful reflectors available.
Many of the examples listed in the article sound like small businesses. A regional retail business. A religious organization. In fact, the research calls out small organizations specifically.
Why do we care?
There’s a solid case in 2022 that small businesses should not be running Active Directory on-premise. I’ll note that Microsoft stopped selling Small Business Server at the end of 2013, and the end of life was January 2020. You know, over two years ago.
Where is the line? Well, I see it in the rearview mirror. This isn’t exactly a slight problem when you note that the research simply identified that many servers are being used regularly.
Besides an obvious opportunity to sell upgrades… one must ponder if there should be a security obligation to get a connection to the internet. That’s part of the premise of zero trust… to require verifications before accessing systems. Not being on a network with an AD server spewing garbage seems like a good criterion.

