Threat Players Can Use Windows RDP Servers to Magnify DDoS Attacks!

Threat Players Can Use Windows RDP Servers to Magnify DDoS Attacks!

‘Netscout’ researchers have identified more than 14,000 existing servers that can be abused by ‘the general attack population’ to flood organisations’ networks with traffic.

Cyber-criminals can exploit Microsoft Remote Desktop Protocol (RDP) as a powerful tool to amplify distributed denial-of-service (DDoS attacks), the latest research has found.

Attackers can abuse RDP to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1, Principal Engineer Roland Dobbins & Senior Network Security Analyst Steinthor Bjarnason from Netscout commented in a report published online this week.

DDoS Attacks

Not every RDP server can be used this way. It is possible only when the service is enabled on port UDP port 3389 running on standard TCP port 3389, researchers suggested.

‘Netscout’ has identified more than 14,000 “abusable” Windows RDP servers that can be misused by attackers in DDoS attacks—troubling news at a time when this type of attack is on the rise due to the increased volume of people online during the ongoing coronavirus pandemic.

This risk was made clear earlier this week when researchers identified a new malware variant dubbed Freakout adding endpoints to a botnet to target Linux devices with DDoS attacks.

Method of Amplification

While at 1st only advanced attackers with access to “bespoke DDoS attack infrastructure” used this method of amplification, researchers also saw RDP servers being abused in DDoS-for-hire services by so-called “booters,” they outlined.

This means “the general attacker population” can also use this mode of amplification to add weight to their DDoS attacks.

RDP is a part of the Microsoft Windows OS that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations & servers. System administrators can configure RDP to run on TCP port 3389 and/or UDP port 3389.

Amplified Attack Traffic

Attackers may send the amplified attack traffic, which is comprosed of non-fragmented UDP packets that originate at UDP port 3389, to target a particular IP address & UDP port of choice, researchers observed.

“In contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, & are padded with long strings of zeroes,” Dobbins & Bjarnason explained.

Using Windows RDP servers in this way has significant impact on victim organisations, including “partial or full interruption of mission-critical remote-access services,” as well as other service disruptions due to transit capacity consumption & associated effects on network infrastructure, researchers commented.

Legitimate Internet Traffic

“Wholesale filtering of all UDP/3389-sourced traffic by network operators may potentially over-block legitimate internet traffic, including legitimate RDP remote-session replies,” researchers noted.

To mitigate the use of RDP to amplify DDoS attacks & their related impact, researchers  made a number of suggestions to Windows systems administrators. 1st, they should deploy Windows RDP servers behind VPN concentrators to prevent them from being abused to amplify DDoS attacks, they stated.

Reconnaissance

“Network operators should perform reconnaissance to identify abusable Windows RDP servers on their networks and/or the networks of their downstream customers,” Dobbins & Bjarnason advised. “It is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse.”

If this mitigation is not possible, however, they “strongly recommended” that at the very least, system administrators disable RDP via UDP port 3389 “as an interim measure,” they suggested.

Best Current Practices

Network operators should implement Best Current Practices (BCPs) for all relevant network infrastructure, architecture & operations, including “situationally specific network-access policies that only permit internet traffic via required IP protocols and ports”, researchers explained.

Internet-access network traffic from internal organisational personnel also should be ‘deconflated’ from internet traffic to/from public-facing internet properties & served via separate upstream internet transit links, they concluded.

https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/

 

SHARE ARTICLE