Posted on January 26, 2021 at 1:35 PM
Researchers Uncover Amplified DDoS Attack on Microsoft RDP Servers
Security firm Netscout said that Cyber attackers are now abusing Windows Remote Desktop Protocol (RDP). According to the report, they are using DDoS-for-hire services to amplify junk traffic in DDoS attacks.
The RDP service is a customized Windows service that runs on UDP/3389 and TCP/3389. It is useful for enabling the access of Windows workstations and servers from authenticated emote desktop infrastructure (VDI).
Although not every RDP servers can be attacked and abused, some of the RDP authenticated systems that enable UDP port 3389 can be abused.
Netscout revealed that the hackers can deliver malformed UDP packets to the RDP servers’ UDP ports, which shows how the attackers amplified the size of the DDoS attack. As a result, heavy junk traffic was hitting the targeted systems.
There are about 14,000 vulnerable Windows RDP servers on the internet today, based on a report earlier published by Netscout.
The Netscout report also added that it’s not feasible to filter the entire network traffic with UDP port 3389 since it will most probably deny legitimate traffic requests from system administrators.
Rather, the researchers have advised the Windows administrators to make sure RDP servers have the best protection behind a VPN service.
The researchers noted that they have discovered situations where elements like public-facing web servers received the right protection, while application servers, DNS servers, and other important delivery elements were not protected.
As a result, it leaves the critical servers vulnerable to attacks.
DDoS attacks on the rise
In July last year, the FBI issued an advisory on the increase of DDoS attacks on systems. The FBI stated that the COVID-19 pandemic has given rise to an increased level of attacks by threat actors. They are using different means to amplify and carry out bigger and more critical DDoS attacks.
Apart from the FBI warning, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert on the prevalence of DDoS attacks. According to the agency, threat actors are targeting large financial firms and government agencies to disrupt their operational flow with DDoS attacks.
These attacks are increasing because the threat actors are seeing loopholes to intercept the remote workforce and schools that depend on remote learning during this pandemic period.
Also, the attackers are using extortion methods on their victims, fueled by the increased value of Bitcoin.
New DDoS attack also used by DDoS booters
Initially, the DDoS attack was only linked to advanced threat actors, but it’s now also used by DDoS booters as well. This has increased the rate of attacks on organizations since there are now more threat actors looking to disrupt organizations’ activities as much as they can.
The amplification of the attack mechanism is very common with any new DDoS attack. After the advanced threat actors employed the new DDoS attack on organizations, the so-called stresser/booter DDoS-for-hire services amplified its potency and destructive capacities, which makes it very critical.
These platforms are generally utilized by pranksters or threat actors who don’t have the time to invest in developing their own DDoS infrastructure.
They usually rent booter’s service to launch large-scale DDoS attacks that target sites or servers for different reasons.
Preventing the DDoS impact
Firms who have been affected by the amplified DDoS attack can experience service disruption or even complete shutdown of their remote-access services.
These can be a result of several factors, including load balancers, state-table exhaustion of stateful firewalls, or transit capacity consumption.
The affected organizations can try to mitigate the issue by filtering all traffic on the UDP/3389. However, this may not be the most ideal thing to do, because it could block legitimate connections, including the RDP session replies.
The researchers said the best alternative is to make the server available only by VPN or completely disable the UDP-based service on Windows RDP servers.
Also, organizations at risk of the amplified DDoS attack should carry out DDoS defense implementation, especially for public-facing servers. That way, they can have a countering response to any potential RDP amplification DDoS attack.