Abusing Windows RDP servers to amplify DDoS attacks

Threat actors are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks.

Attackers are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks.

The Microsoft Remote Desktop Protocol (RDP) is a built-in service in Microsoft Windows operating systems that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. The RDP service can be configured to run on TCP/3389 and/or UDP/3389.

Researchers from Netscout reported that attackers could be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1 when enabled on UDP/3389,

“When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.” reads the post published by Netscout. “The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice.”

Attackers can send specially crafted UDP packets to the UDP ports of RDP servers that will be “reflected” to the target after being amplified in size.

The packets sent in such kind of attack have a length of 1,260 bytes and are padded with long strings of zeroes. Experts pointed out that this DDoS amplification technique could allow mounting attacks with a volume of traffic ranging from ~20 Gbps – ~750 Gbps.

The researchers already identified approximately 14,000 Windows RDP servers that could be abused.

These attacks may cause partial or full interruption of mission-critical remote-access services, while wholesale filtering of all UDP/3389 traffic by network operators may potentially block legitimate traffic, such as legitimate RDP remote session replies.

To prevent the abuse of an RDP server in reflection/amplification attacks, administrators should either disable UDP-based service or deploy Windows RDP servers behind VPN concentrators.

“It is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse. If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is strongly recommended that RDP via UDP/3389 be disabled as an interim measure.” concludes Netscout.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.