RDP abused for DDoS attacks

RDP abused for DDoS attacks

We have talked about RDP many times before. It has been a popular target for brute force attacks for a long time, but attackers have now found a new way to abuse it.

Remote access has become more important during the pandemic, with as many people as possible try to work from home. Which makes it all the more important to configure RDP services in a secure way.

Quick recap of RDP

RDP is short for Remote Desktop Protocol. Remote desktop is exactly what the name implies, an option to control a computer system remotely. It almost feels as if you are actually sitting behind that computer. Because of the current pandemic, many people are working from home and may be doing so for a while to come.

All this working from home has the side effect of more RDP ports being opened. Not only to enable the workforce to access company resources from home, but also to enable IT staff to troubleshoot problems on the workers’ devices. A lot of enterprises rely on tech support teams using RDP to troubleshoot problems on employee’s systems.

We warned about one of the consequences of exposing RDP in our post Brute force attacks increase due to more open RDP ports. And we provided some security measures in our post How to protect your RDP access from ransomware attacks. But this time we are going to talk about a different kind of attack that makes use of open RDP ports.

RDP as a DDoS attack vector

The RDP service can be configured by Windows systems administrators to run on TCP (usually port 3389) and/or on the UDP port (3389). When enabled on a UDP port, the Microsoft Windows RDP service can be abused to launch UDP reflection attacks with an amplification ratio of 85.9:1.

The traffic that is set off by this amplification attack is made up of non-fragmented UDP packets sourced from the UDP port and directed towards UDP ports on the victim’s IP address(es). From logs, these attack-induced packets are readily discernible from legitimate RDP session traffic because the amplified attack packets are consistently 1,260 bytes in length and are padded with long strings of zeroes.

Open RDP ports

At the time of writing, the Shodan search engine, which indexes online devices and their services, lists over 3.6 million results in a search for “remote desktop” and NetScout identified 33,000 Windows RDP servers that could potentially be abused in this type of DDoS attack.

The consequences of such an attack

The owner of the destination IP address(es) will experience a DDoS attack. DDoS stands for Distributed Denial of Service. It is a network attack that involves hackers forcing numerous systems to send network communication requests to one specific server. If the attack is successful, the receiving server will become overloaded by nonsense requests. It will either crash or become so busy that normal users are unable to use it.

A DDoS attack can cause:

  • Disappointed users
  • Loss of data
  • Loss of revenue
  • Lost work hours/productivity
  • Damage to the businesses’ reputation
  • Breach of contract between a victim and its users

We have discussed preventive measures for DDoS targets in our post DDoS attacks are growing: What can businesses do?

But there are consequences for the abused service owners as well. These may include an interruption or slow-down of remote-access services, as well as additional service disruption due to an overload of additional network hardware and services.

How to avoid helping a DDoS attack

There are a few things you can do to avoid being roped into an RDP DDoS attack. They are also useful against other RDP related attacks.

  • Put RDP access behind a VPN so it’s not directly accessible.
  • Use a Remote Desktop Gateway Server, which provides some additional security and operational benefits like 2FA, for example. Also, the logs of the RDP sessions can prove especially useful.
  • If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is recommended to disable RDP via UDP.

Logging of the traffic will not be effective as a preventive measure, but it will enable you to figure out what might have happened and assist you in closing any gaps in your defenses.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.