Black Hat Europe 2025 | A crash course in revealing insecure blind spots for DoS & DDoS

May 29, 2026 Yanac

Domain Controllers (DCs) are organizations’ crown jewels. A successful Denial-of-Service (DoS) attack against them can terminate authentication processes and cause widespread disruption.

Our previous LdapNightmare research – the first public pre-auth DC DoS exploit for CVE-2024-49113, revealed that DCs can be turned into LDAP clients by communicating with their NetLogon RPC server. These clients could then be crashed by a single invalid value they receive. This taught us that remotely triggered client code is a blind spot that overtrusts.

Eager to find other blind spots in servers on DCs, we asked – what will make server code overtrust? abstraction layers! We realized that although common server code nowadays mostly mitigates classic server risks, that’s maybe untrue in case it’s transport-agnostic, uses heavy abstractions, and focuses mostly on the application’s logic.

Starting by targeting remotely triggered LDAP client code, we found a vulnerability that denies service from DCs, or alternatively can be exploited to manipulate them to join a DDoS botnet attack. Then, we moved on to target Windows’ most common transport-agnostic wrapped server code – RPC functions. By exploiting security gaps in RPC bindings, we developed novel techniques allowing to hammer a single RPC server tens of thousands of times simultaneously from a single system, far surpassing standard concurrency limits! And WOW- this armed us beyond our expectations, with vulnerabilities crashing any form of Windows, both servers and endpoints! Our blind spot hypothesis turned out to be the reality.

In this talk, we’ll present “Win-DoS” – A set of tools exploiting 30 DoS vulnerabilities we discovered in Domain Controllers and Windows endpoints. Most vulnerabilities do not require any authentication, and one even allows not only to crash, but also to effortlessly initiate a botnet harnessing the upload rates and vast resources of any public DCs to participate in DDoS attacks.

By:
Or Yair | Security Research Team Lead, SafeBreach
Shahak Morag | Security Researcher

https://blackhat.com/eu-25/briefings/schedule/?#win-dos-aftershock-a-crash-course-in-revealing-insecure-blind-spots-for-dos–ddos-49015Black HatRead More