Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks

  • Elizabeth Montalbano--Threatpost
  • published date: 2021-01-22 12:45:42 UTC

Netscout researchers identify more than 14,000 existing servers that can be abused by ‘the general attack population’ to flood organizations’ networks with traffic.

<div class="c-article__content js-reading-content"> <p>Cybercriminals can exploit Microsoft Remote Desktop Protocol (RDP) as a powerful tool to amplify distributed denial-of-service (DDoS attacks), new research has found.</p> <p>Attackers can abuse RDP to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1, principal engineer Roland Dobbins and senior network security analyst Steinthor Bjarnason from Netscout said in <a href="" target="_blank" rel="noopener noreferrer">a report</a> published online this week.</p> <p>However, not all RDP servers can be used in this way. It’s possible only when the service is enabled on port UDP port 3389 running on standard TCP port 3389, researchers said.<br> <a href="" target="_blank" rel="noopener noreferrer"><img loading="lazy" class="aligncenter wp-image-162449 size-full" src="" alt="2020 Reader Survey: Share Your Feedback to Help Us Improve" width="700" height="69"></a></p> <p>Netscout so far has identified more than 14,000 “abusable” Windows RDP servers that can be misused by attackers in DDoS attacks—troubling news at a time when this type of attack is <a href="" target="_blank" rel="noopener noreferrer">on the rise</a> due to the increased volume of people online during the ongoing <a href="" target="_blank" rel="noopener noreferrer">coronavirus pandemic.</a></p> <p>This risk was highlighted earlier this week when researchers identified a new malware variant <a href="">dubbed Freakout</a> adding endpoints to a botnet to target Linux devices with DDoS attacks.</p> <p>What’s more, while initially only advanced attackers with access to “bespoke DDoS attack infrastructure” used this method of amplification, researchers also observed RDP servers being abused in <a href="" target="_blank" rel="noopener noreferrer">DDoS-for-hire</a> services by so-called “booters,” they said. This means “the general attacker population” can also use this mode of amplification to add heft to their <a href="" target="_blank" rel="noopener noreferrer">DDoS attacks</a>.</p> <p>RDP is a part of the Microsoft Windows OS that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. System administrators can configure RDP to run on TCP port 3389 and/or UDP port 3389.</p> <p>Attackers can send the amplified attack traffic, which is comprised of non-fragmented UDP packets that originate at UDP port 3389, to target a particular IP address and UDP port of choice, researchers said.</p> <p>“In contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, and are padded with long strings of zeroes,” Dobbins and Bjarnason explained.</p> <p>Leveraging Windows RDP servers in this way has significant impact on victim organizations, including “partial or full interruption of mission-critical remote-access services,” as well as other service disruptions due to transit capacity consumption and associated effects on network infrastructure, researchers said.</p> <p>“Wholesale filtering of all UDP/3389-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate RDP remote-session replies,” researchers noted.</p> <p>To mitigate the use of RDP to amplify DDoS attacks and their related impact, researchers  made a number of suggestions to Windows systems administrators. First and foremost they should deploy Windows RDP servers behind VPN concentrators to prevent them from being abused to amplify DDoS attacks, they said.</p> <p>“Network operators should perform reconnaissance to identify abusable Windows RDP servers on their networks and/or the networks of their downstream customers,” Dobbins and Bjarnason advised. “It is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse.”</p> <p>If this mitigation is not possible, however, they “strongly recommended” that at the very least, system administrators disable RDP via UDP port 3389 “as an interim measure,” they said.</p> <p>Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.</p> <p>At the same time, network operators should implement Best Current Practices (BCPs) for all relevant network infrastructure, architecture and operations, including “situationally specific network-access policies that only permit internet traffic via required IP protocols and ports, researchers said.</p> <p>Internet-access network traffic from internal organizational personnel also should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links, they added.</p> <p><strong>Download our exclusive </strong><a href=";utm_medium=FEATURE&amp;utm_campaign=Nov_eBook" target="_blank" rel="noopener noreferrer"><strong>FREE Threatpost Insider eBook</strong></a> <em><strong>Healthcare Security Woes Balloon in a Covid-Era World</strong></em><strong>, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and </strong><a href=";utm_medium=ART&amp;utm_campaign=Nov_eBook" target="_blank" rel="noopener noreferrer"><strong>DOWNLOAD the eBook now</strong></a><strong> – on us!</strong></p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks" data-url="" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="">Hacks</a></li> <li><a class="c-label c-label--secondary-transparent" href="">Vulnerabilities</a></li> </ul> </div> </div> </footer> </div>