Add domain blacklist to LdapConnectionPool to try to alleviate pain f…

…rom repeated query attempts to a domain we can't reach
SpecterOps · Jan 8, 2025 · bda2bc4 · bda2bc4
1 parent ebf78f6
commit bda2bc4
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/src/CommonLib/ConnectionPoolManager.cs b/src/CommonLib/ConnectionPoolManager.cs
@@ -73,14 +73,14 @@ public void ReleaseConnection(LdapConnectionWrapper connectionWrapper, bool conn
         }
 
         private bool GetPool(string identifier, out LdapConnectionPool pool) {
-            if (string.IsNullOrWhiteSpace(identifier) || identifier == ".") {
+            if (string.IsNullOrWhiteSpace(identifier)) {
                 pool = default;
                 return false;
             }
 
             var resolved = ResolveIdentifier(identifier);
             if (!_pools.TryGetValue(resolved, out pool)) {
-                pool = new LdapConnectionPool(identifier, resolved, _ldapConfig,scanner: _portScanner);
+                pool = new LdapConnectionPool(identifier, resolved, _ldapConfig, scanner: _portScanner);
                 _pools.TryAdd(resolved, pool);
             }
 
@@ -96,6 +96,7 @@ private bool GetPool(string identifier, out LdapConnectionPool pool) {
             if (globalCatalog) {
                 return await pool.GetGlobalCatalogConnectionAsync();
             }
+
             return await pool.GetConnectionAsync();
         }
 

diff --git a/src/CommonLib/LdapConnectionPool.cs b/src/CommonLib/LdapConnectionPool.cs
@@ -31,6 +31,7 @@ internal class LdapConnectionPool : IDisposable{
         private const int BackoffDelayMultiplier = 2;
         private const int MaxRetries = 3;
         private static readonly ConcurrentDictionary<string, NetAPIStructs.DomainControllerInfo?> DCInfoCache = new();
+        private static readonly ConcurrentHashSet _blacklistedDomains = new();
 
         public LdapConnectionPool(string identifier, string poolIdentifier, LdapConfig config, PortScanner scanner = null, NativeMethods nativeMethods = null, ILogger log = null) {
             _connections = new ConcurrentBag<LdapConnectionWrapper>();
@@ -595,6 +596,10 @@ private bool CallDsGetDcName(string domainName, out NetAPIStructs.DomainControll
         }
 
         public async Task<(bool Success, LdapConnectionWrapper ConnectionWrapper, string Message)> GetConnectionAsync() {
+            if (_blacklistedDomains.Contains(_identifier)) {
+                return (false, null, $"Identifier {_identifier} blacklisted for connection attempt");
+            }
+
             if (!_connections.TryTake(out var connectionWrapper)) {
                 var (success, connection, message) = await CreateNewConnection();
                 if (!success) {
@@ -691,6 +696,7 @@ public void Dispose() {
                     _log.LogDebug(
                         "Could not get domain object from GetDomain, unable to create ldap connection for domain {Domain}",
                         _identifier);
+                    _blacklistedDomains.Add(_identifier);
                     return (false, null, "Unable to get domain object for further strategies");
                 }
                 tempDomainName = domainObject.Name.ToUpper().Trim();
@@ -725,6 +731,7 @@ public void Dispose() {
                 }
             } catch (Exception e) {
                 _log.LogInformation(e, "We will not be able to connect to domain {Domain} by any strategy, leaving it.", _identifier);
+                _blacklistedDomains.Add(_identifier);
             }
 
             return (false, null, "All attempted connections failed");