22 January 2021

Windows Remote Desktop servers abused to amplify DDoS attacks


Windows Remote Desktop servers abused to amplify DDoS attacks

Operators of DDoS-for-hire services are now abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks, a new Netscout advisory warned.

The Microsoft RDP service is a built-in Windows service, which can be configured to run on TCP/3389 and/or UDP/3389 that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers.

According to Netscout, when enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.

“The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice. In contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, and are padded with long strings of zeroes,” the advisory reads.

The researchers said they identified nearly 14,000 vulnerable Windows RDP servers exposed online that can be abused to launch DDoS attacks. Netscout observed attacks ranging from ~20 Gbps to ~750 Gbps.

“The collateral impact of RDP reflection/amplification attacks is potentially quite high for organizations whose Windows RDP servers are abused as reflectors/amplifiers. This may include partial or full interruption of mission-critical remote-access services, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of stateful firewalls, load balancers, etc,” the researchers explained. “Wholesale filtering of all UDP/3389-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate RDP remote session replies.”

To defend from such attacks, organizations should either completely disable the vulnerable UDP-based service on Windows RDP servers or make the servers available only via VPN by moving them behind a VPN concentrator networking device.

Back to the list

Latest Posts

Vulnerability summary for the week: March 5, 2021

Vulnerability summary for the week: March 5, 2021

A weekly vulnerability digest.
5 March 2021
Microsoft shares details on three new malware strains used in SolarWinds hack

Microsoft shares details on three new malware strains used in SolarWinds hack

GoldMax, Sibot and GoldFinder were used by attackers to achieve persistence on the infected machines and perform actions post-compromise.
5 March 2021
Four notorious cybercrime forums hacked

Four notorious cybercrime forums hacked

The list of hacked crime forums includes Maza, Verified, Crdclub and Exploit.
5 March 2021