Abusing Windows RDP servers to amplify DDoS attacks

Threat actors are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks.

Attackers are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks.

The Microsoft Remote Desktop Protocol (RDP) is a built-in service in Microsoft Windows operating systems that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. The RDP service can be configured to run on TCP/3389 and/or UDP/3389.

Researchers from Netscout reported that attackers could be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1 when enabled on UDP/3389,

“When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.” reads the post published by Netscout. “The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice.”

Attackers can send specially crafted UDP packets to the UDP ports of RDP servers that will be “reflected” to the target after being amplified in size.

The packets sent in such kind of attack have a length of 1,260 bytes and are padded with long strings of zeroes. Experts pointed out that this DDoS amplification technique could allow mounting attacks with a volume of traffic ranging from ~20 Gbps – ~750 Gbps.

The researchers already identified approximately 14,000 Windows RDP servers that could be abused.

These attacks may cause partial or full interruption of mission-critical remote-access services, while wholesale filtering of all UDP/3389 traffic by network operators may potentially block legitimate traffic, such as legitimate RDP remote session replies.  

To prevent the abuse of an RDP server in reflection/amplification attacks, administrators should either disable UDP-based service or deploy Windows RDP servers behind VPN concentrators.

“It is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse. If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is strongly recommended that RDP via UDP/3389 be disabled as an interim measure.” concludes Netscout.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

[adrotate banner=”5″]

[adrotate banner=”13″]