DDoS Attackers Exploit Vulnerable Microsoft RDP ServersResearchers: 33,000 Vulnerable Servers Could Be Used to Amplify Attacks
Threat actors are exploiting vulnerable Microsoft Remote Desktop Protocol servers to amplify various distributed denial-of-service attacks, according to a report from application and network performance firm Netscout.
Netscout researchers have identified about 33,000 vulnerable Microsoft RDP servers that could be abused by threat actors to boost their DDoS attacks. RDP is a proprietary Microsoft communications protocol that system administrators and employees use to remotely connect to corporate systems and services.
Microsoft RDP can be configured by Windows systems administrators to run on TCP port 3389 or UDP port 3389, according to the report.
The researchers found that when the Microsoft RDP service is configured to UDP port 3389, attacks could amplify network packets from vulnerable ports and redirect that traffic to targeted IP addresses, increasing the size of a DDoS attack at little cost, according to the report.
In some cases, the Netscout researchers found an amplification ratio of 85.9:1, which means that for every 10 gigabytes per second of requests directed at an RDP server, the threat actors could redirect 860 gigabytes per second of network traffic at the targeted IP address as part of the DDoS attack, the report notes.
"Observed attack sizes range from ~20 Gbps - ~750 Gbps," according to the Netscout report. "As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, RDP reflection/amplification has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population."
In July 2020, the FBI warned that since the start of the COVID-19 pandemic, threat actors have been using various means to amplify and conduct larger and more destructive DDoS attacks (see: FBI Alert Warns of Increase in Disruptive DDoS Attacks).
The Netscout report notes that it’s impractical to filter all the network traffic using UDP port 3389, because this might block legitimate requests from system administrators, including RDP connections.
Instead, the Netscout researchers recommend that Windows administrators ensure that RDP servers are protected behind a VPN service to ensure that they are not directly exposed to the internet.
"In many instances, we have encountered situations in which obvious elements, such as public-facing Web servers, were adequately protected, but authoritative DNS servers, application servers and other critical service delivery elements were neglected, thus leaving them vulnerable to attack," the Netscout researchers say.
DDoS on the Rise
In addition to the FBI alert last year, the U.S. Cybersecurity and Infrastructure Security Agency has also warned that DDoS attacks have become more frequent, targeting government agencies and financial firms (see: CISA Warns of Increased DDoS Attacks).
One reason why DDoS attacks are surging, in part, is that threat actors see an opportunity to disrupt the remote workforce as well as schools that are relying on remote learning, according to CISA and security researchers.
In addition, DDoS attackers are adding an extortion element to these attacks, which is being fueled by the rise in the value of bitcoin (see: DDoS Attackers Revive Old Campaigns to Extort Ransom).