Security News > 2021 > January > Windows Remote Desktop servers now used to amplify DDoS attacks

Windows Remote Desktop servers now used to amplify DDoS attacks
2021-01-21 14:18

Windows Remote Desktop Protocol servers are now being abused by DDoS-for-hire services to amplify Distributed Denial of Service attacks.

The Microsoft RDP service is a built-in Windows service running on TCP/3389 and/or UDP/3389 that enables authenticated remote virtual desktop infrastructure access to Windows servers and workstations.

Attacks taking advantage of this new UDP reflection/amplification attack vector by targeting Windows servers with RDP enabled on UDP/3389 have an amplification ratio of 85.9:1 and peak at ~750 Gbps. Around 14,000 vulnerable Windows RDP servers are reachable over the Internet according to a Netscout advisory published earlier today.

While at first it was only used by advanced threat actors, this newly discovered DDoS amplification vector is now being used by DDoS booters.

To properly mitigate the impact of such attacks, organizations can either completely disable the vulnerable UDP-based service on Windows RDP servers or making the servers available only via VPN by moving them behind a VPN concentrator networking device.

In 2019, Netscout also observed DDoS attacks abusing the Apple Remote Management Service running on macOS servers as a reflection/amplification vector.


News URL

https://www.bleepingcomputer.com/news/security/windows-remote-desktop-servers-now-used-to-amplify-ddos-attacks/