Threat Actors Can Leverage RDP Servers to Amplify DDoS Attacks
A recent Netscout report shows threat actors can exploit Microsoft RDP flaws to amplify DDoS attacks and 14,000 Windows RDP servers are susceptible to abuse.
By - A recent report from Netscout revealed that threat actors can abuse the Microsoft remote desktop protocol (RDP) to amplify denial-of-service (DDoS) attacks. Researchers identified over 14,000 servers susceptible to this type of abuse.
RDP is leveraged to authenticate access to the remote virtual desktop infrastructure (VDI) for Windows-based servers and workstations. Netscout researchers explained that RDP service can be configured by administrators to run on ports TCP/3389 and/or UDP/3389.
The issue, as described in the report, is that threat actors can abuse the RDP service to launch UDP reflection or amplification attacks with an amplification ratio of 85.9:1, when enabled on UDP/3389.
The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP addresses and UDP ports chosen by the attacker. In comparison to legitimate RDP session traffic, amplified attack packets are consistently 1,260 bytes in length.
The amplified attack packers are also padded with long strings of zeroes. Netscout has identified about 33,000 abusable Windows RDP servers, to date and observed attack sizes that ranged from about 20 GBPS to nearly 750 GBPS.
“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, RDP reflection/amplification has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population,” according to the report.
As a result, organizations that use RDP servers could face a high collateral impact from successful exploits, including partial or full disruption of mission-critical remote services and disruptions caused by transit capacity consumption and exhaustion of stateful firewalls.
Further, Netscout found that wholesale filtering of all traffic sourced through UDP/3389 by network operators could overblock legitimate traffic, such as legitimate RDP remote session replies.
Hackers have continued to target RDP and other vulnerable endpoints throughout the pandemic and in recent months. Given Netscout’s findings and the rapid adoption of remote work and telehealth in response to the national crisis, all organizations should work to mitigate the risk.
“Collateral impact to abusable Windows RDP servers can alert systems administrators to either disable UDP-based service or to deploy Windows RDP servers behind VPN concentrators, thereby preventing them from being utilized in RDP reflection/amplification attacks,” researchers explained.
Firstly, all organizations must be employing current, industry-standard best practices for relevant network infrastructure, architecture, and operating systems, including those with business-critical public-facing internet properties.
CISA recently reminded entities that hackers are leveraging internet-facing ports and services, like RDP to gain access to enterprise networks and later deliver ransomware, particularly healthcare and public health sector organizations.
Administrators should perform reconnaissance to find abusable RDP servers on the enterprise network and the networks of supply-chain vendors connected to the enterprise. And RDP should only be accessible through a VPN service to defend against abuse.
If RDP servers providing remote access through UDP can’t be immediately moved behind VPN concentrators, Netscout strongly recommends those enterprises disable RDP via UDP/3389 as an interim solution.
Organizations will also need to implement situationally specific network access policies that only allow internet traffic through required IP protocols and ports.
“Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links,” researchers wrote.
“DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to an organization's servers/services/applications are incorporated into its DDoS defense plan,” they added.
In addition, organic, on-site intelligent mitigation strategies should be used in conjunction with cloud- or transit-based upstream DDoS mitigation, which will bolster responsiveness and flexibility during an attack.
Netscout also noted that in many instances, researchers discovered situations where enterprises implemented adequate protections for public-facing web servers. However, the same organizations neglected to secure “authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.”
As such, enterprises should also perform realistic tests to their DDoS mitigation plan to ensure they’re adequately protected.
A July FBI alert provided insights to defend against DDoS attacks, brought on by hackers exploiting built-in network protocols to increase the impact of DDoS attacks using limited resources. Organizations should review the guidance, which includes a call to employ defense-in-depth strategies.
