Attackers are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks.
The Microsoft Remote Desktop Protocol (RDP) is a built-in service in Microsoft Windows operating systems that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. The RDP service can be configured to run on TCP/3389 and/or UDP/3389.
Researchers from Netscout reported that attackers could be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1 when enabled on UDP/3389,
“When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.” reads the post published by Netscout. “The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice.”
Attackers can send specially crafted UDP packets to the UDP ports of RDP servers that will be “reflected” to the target after being amplified in size.
The packets sent in such kind of attack have a length of 1,260 bytes and are padded with long strings of zeroes. Experts pointed out that this DDoS amplification technique could allow mounting attacks with a volume of traffic ranging from ~20 Gbps – ~750 Gbps.
The researchers already identified approximately 14,000 Windows RDP servers that could be abused.
These attacks may cause partial or full interruption of mission-critical remote-access services, while wholesale filtering of all UDP/3389 traffic by network operators may potentially block legitimate traffic, such as legitimate RDP remote session replies.
To prevent the abuse of an RDP server in reflection/amplification attacks, administrators should either disable UDP-based service or deploy Windows RDP servers behind VPN concentrators.
“It is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse. If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is strongly recommended that RDP via UDP/3389 be disabled as an interim measure.” concludes Netscout.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, DDoS)
[adrotate banner=”5″]
[adrotate banner=”13″]
The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by…
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
This website uses cookies.