U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Abusing Windows RDP servers to amplify DDoS attacks

Threat actors are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks. Attackers are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks. The Microsoft Remote Desktop Protocol (RDP) is a built-in service in Microsoft Windows operating systems that provides authenticated remote virtual […]

RDP Servers

Threat actors are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks.

Attackers are abusing Windows Remote Desktop Protocol (RDP) servers to amplify Distributed Denial of Service (DDoS) attacks.

The Microsoft Remote Desktop Protocol (RDP) is a built-in service in Microsoft Windows operating systems that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. The RDP service can be configured to run on TCP/3389 and/or UDP/3389.

RDP Servers

Researchers from Netscout reported that attackers could be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1 when enabled on UDP/3389,

“When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1.” reads the post published by Netscout. “The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice.”

Attackers can send specially crafted UDP packets to the UDP ports of RDP servers that will be “reflected” to the target after being amplified in size.

The packets sent in such kind of attack have a length of 1,260 bytes and are padded with long strings of zeroes. Experts pointed out that this DDoS amplification technique could allow mounting attacks with a volume of traffic ranging from ~20 Gbps – ~750 Gbps.

The researchers already identified approximately 14,000 Windows RDP servers that could be abused.

These attacks may cause partial or full interruption of mission-critical remote-access services, while wholesale filtering of all UDP/3389 traffic by network operators may potentially block legitimate traffic, such as legitimate RDP remote session replies.  

To prevent the abuse of an RDP server in reflection/amplification attacks, administrators should either disable UDP-based service or deploy Windows RDP servers behind VPN concentrators.

“It is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse. If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is strongly recommended that RDP via UDP/3389 be disabled as an interim measure.” concludes Netscout.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DDoS)

[adrotate banner=”5″]

[adrotate banner=”13″]