Distributed denial-of-service (DDoS) malefactors are abusing the Microsoft Remote Desktop Protocol (RDP) to increase the effectiveness of their attacks.
The Microsoft Remote Desktop Protocol service included in Microsoft Windows operating systems is intended to provide authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers.
The RDP service can be configured by Windows systems administrators to run on TCP/3389 and/or UDP/3389.
According to security firm Netscout, the Microsoft RDP service may also be abused to launch UDP reflection/amplification attacks. These attacks use RDP to increase the data amount used in the attack at an amplification ratio of 85.9:1.
The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389,” Says Netscout. Moreover, the attacks can be directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice.
Approximately 33,000 abusable Windows RDP servers have been identified by Netscout to date. They have also seen observed that attack sizes range from ~20 Gbps – ~750 Gbps.
High “collateral impact”
“The collateral impact of RDP reflection/amplification attacks is potentially quite high for organizations whose Windows RDP servers are abused as reflectors/amplifiers,” warns Netscout.
“This may include partial or full interruption of mission-critical remote-access services,” the add. There could also be additional service disruption due to transit capacity consumption, state-table exhaustion of stateful firewalls, load balancers, and so on.
Standard filtering, they warn, could only worsen the situation. “Wholesale filtering of all UDP/3389-sourced traffic by network operators may potentially overblock legitimate internet traffic,” they write. This could include legitimate RDP remote session replies.
How to defend against the attacks
Netscout does make some recommendations regarding defense gunast these new DDoS attacks. “It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack,” they say.
These elements should also be included in periodic, realistic tests of the organization’s DDoS mitigation plan. “In many instances, we have encountered situations in which obvious elements such as public-facing Web servers were adequately protected,” they write. “But authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.”