Windows RDP Severs Can Be Used to Amplify DDoS attacks

Author: Melodie Foster

Date: 22nd January 2021

The prerequisite for having an RDP server that can be abused is that systems that have RDP authentication also enabled on UDP port 3389 on top of the standard TCP port 3389.

If attackers send malformed UDP packets to the UDP port on an RDP server, it will be reflected to the target of DDoS attack, which will amplify the size of the attack as junk traffic will also be hitting the victim’s system.

Netscout, the firm who sent out this information earlier this week, said this vulnerability is being abused heavily, “as is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, RDP reflection/amplification has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population.”

Netscout said that it is currently detecting over 14,000 RDP servers that are exposed online and running on UDP port 3389. Researchers are also urging systems administrators who are running RDP servers that are exposed on the internet to take them offline and either switch them to the equivalent TCP port, or put VPNs in front of the RDP servers which would result in less people being able to interact with the systems.[1]

[1] Https://www.zdnet.com/article/windows-rdp-servers-are-being-abused-to-amplify-ddos-attacks/

Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Cookie Name	Expiration Time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.

_gac_<property-id>	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
__hstc	13 months	The main cookie for tracking visitors.
hubspotutk	13 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc	30 minutes	This cookie keeps track of sessions.
__hssrc	End of session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.

Windows RDP Severs Can Be Used to Amplify DDoS attacks

Author: Melodie Foster

Date: 22nd January 2021

Other resources

Cyberfort Colocation Services

What can Cyberfort do for you?

Cyberfort Deep Dives

Recent Posts

Recent Comments

Archives

Categories

Meta