Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks

Netscout researchers identify more than 14,000 existing servers that can be abused by ‘the general attack population’ to flood organizations’ networks with traffic.

Cybercriminals can exploit Microsoft Remote Desktop Protocol (RDP) as a powerful tool to amplify distributed denial-of-service (DDoS attacks), new research has found.

Attackers can abuse RDP to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1, principal engineer Roland Dobbins and senior network security analyst Steinthor Bjarnason from Netscout said in a report published online this week.

However, not all RDP servers can be used in this way. It’s possible only when the service is enabled on port UDP port 3389 running on standard TCP port 3389, researchers said.
2020 Reader Survey: Share Your Feedback to Help Us Improve

Netscout so far has identified more than 14,000 “abusable” Windows RDP servers that can be misused by attackers in DDoS attacks—troubling news at a time when this type of attack is on the rise due to the increased volume of people online during the ongoing coronavirus pandemic.

This risk was highlighted earlier this week when researchers identified a new malware variant dubbed Freakout adding endpoints to a botnet to target Linux devices with DDoS attacks.

What’s more, while initially only advanced attackers with access to “bespoke DDoS attack infrastructure” used this method of amplification, researchers also observed RDP servers being abused in DDoS-for-hire services by so-called “booters,” they said. This means “the general attacker population” can also use this mode of amplification to add heft to their DDoS attacks.

RDP is a part of the Microsoft Windows OS that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. System administrators can configure RDP to run on TCP port 3389 and/or UDP port 3389.

Attackers can send the amplified attack traffic, which is comprised of non-fragmented UDP packets that originate at UDP port 3389, to target a particular IP address and UDP port of choice, researchers said.

“In contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, and are padded with long strings of zeroes,” Dobbins and Bjarnason explained.

Leveraging Windows RDP servers in this way has significant impact on victim organizations, including “partial or full interruption of mission-critical remote-access services,” as well as other service disruptions due to transit capacity consumption and associated effects on network infrastructure, researchers said.

“Wholesale filtering of all UDP/3389-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate RDP remote-session replies,” researchers noted.

To mitigate the use of RDP to amplify DDoS attacks and their related impact, researchers  made a number of suggestions to Windows systems administrators. First and foremost they should deploy Windows RDP servers behind VPN concentrators to prevent them from being abused to amplify DDoS attacks, they said.

“Network operators should perform reconnaissance to identify abusable Windows RDP servers on their networks and/or the networks of their downstream customers,” Dobbins and Bjarnason advised. “It is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse.”

If this mitigation is not possible, however, they “strongly recommended” that at the very least, system administrators disable RDP via UDP port 3389 “as an interim measure,” they said.

Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.

At the same time, network operators should implement Best Current Practices (BCPs) for all relevant network infrastructure, architecture and operations, including “situationally specific network-access policies that only permit internet traffic via required IP protocols and ports, researchers said.

Internet-access network traffic from internal organizational personnel also should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links, they added.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles