Operators of DDoS-for-hire services are now abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks, a new Netscout advisory warned.
The Microsoft RDP service is a built-in Windows service, which can be configured to run on TCP/3389 and/or UDP/3389 that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers.
According to Netscout, when enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.
“The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice. In contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, and are padded with long strings of zeroes,” the advisory reads.
The researchers said they identified nearly 14,000 vulnerable Windows RDP servers exposed online that can be abused to launch DDoS attacks. Netscout observed attacks ranging from ~20 Gbps to ~750 Gbps.
“The collateral impact of RDP reflection/amplification attacks is potentially quite high for organizations whose Windows RDP servers are abused as reflectors/amplifiers. This may include partial or full interruption of mission-critical remote-access services, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of stateful firewalls, load balancers, etc,” the researchers explained. “Wholesale filtering of all UDP/3389-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate RDP remote session replies.”
To defend from such attacks, organizations should either completely disable the vulnerable UDP-based service on Windows RDP servers or make the servers available only via VPN by moving them behind a VPN concentrator networking device.