Security News > 2021 > January > Windows Remote Desktop servers now used to amplify DDoS attacks
Windows Remote Desktop Protocol servers are now being abused by DDoS-for-hire services to amplify Distributed Denial of Service attacks.
The Microsoft RDP service is a built-in Windows service running on TCP/3389 and/or UDP/3389 that enables authenticated remote virtual desktop infrastructure access to Windows servers and workstations.
Attacks taking advantage of this new UDP reflection/amplification attack vector by targeting Windows servers with RDP enabled on UDP/3389 have an amplification ratio of 85.9:1 and peak at ~750 Gbps. Around 14,000 vulnerable Windows RDP servers are reachable over the Internet according to a Netscout advisory published earlier today.
While at first it was only used by advanced threat actors, this newly discovered DDoS amplification vector is now being used by DDoS booters.
To properly mitigate the impact of such attacks, organizations can either completely disable the vulnerable UDP-based service on Windows RDP servers or making the servers available only via VPN by moving them behind a VPN concentrator networking device.
In 2019, Netscout also observed DDoS attacks abusing the Apple Remote Management Service running on macOS servers as a reflection/amplification vector.
News URL
Related news
- Microsoft: April Windows Server updates cause NTLM auth failures (source)
- Germany points finger at Fancy Bear for widespread 2023 hacks, DDoS attacks (source)
- New attack leaks VPN traffic using rogue DHCP servers (source)
- Microsoft: April Windows Server updates also cause crashes, reboots (source)
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)
- Microsoft fixes Windows Server bug causing crashes, NTLM auth failures (source)
- Windows Quick Assist abused in Black Basta ransomware attacks (source)
- Microsoft: Windows Server 2019 updates fail with 0x800f0982 errors (source)
- MS Exchange Server Flaws Exploited to Deploy Keylogger in Targeted Attacks (source)
- Microsoft pushes emergency fix for Windows Server 2019 update errors (source)