Windows RDP servers are being abused to amplify DDoS attacks

Windows RDP servers running on UDP port 3389 can be ensnared in DDoS botnets and abused to bounce and amplify junk traffic towards victim networks.

DDoS botnet globe map

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to bounce and amplify junk traffic as part of DDoS attacks, security firm Netscout said in an alert on Tuesday.

Not all RDP servers can be abused, but only systems where RDP authentication is also enabled on UDP port 3389 on top of the standard TCP port 3389.

Netscout said that attackers can send malformed UDP packets to the UDP ports of RDP servers that will be reflected to the target of a DDoS attack, amplified in size, resulting in junk traffic hitting the target's system.

This is what security researchers call a DDoS amplification factor, and it allows attackers with access to limited resources to launch large-scale DDoS attacks by amplifying junk traffic with the help of internet exposed systems.

In the case of RDP, Netscout said the amplification factor is 85.9, with the attackers sending a few bytes and generating "attack packets" that are "consistently 1,260 bytes in length."

An 85.9 factor puts RDP in the top echelon of DDoS amplification vectors, with the likes of Jenkins servers (~100), DNS (up to 179), WS-Discovery (300-500), NTP (~550), and Memcached (~50,000).

RDP servers already abused for real-world attacks

But the bad news don't end with the amplification factor. Netscout said that threat actors have also learned of this new vector, which is now being heavily abused.

"As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, RDP reflection/amplification has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population," researchers said.

Netscout is now asking system administrators who run RDP servers exposed on the internet to take systems offline, switch them to the equivalent TCP port, or put the RDP servers behind VPNs in order to limit who can interact with vulnerable systems.

Currently, Netscout said it is detecting more than 33,000 RDP servers exposed online and running on UDP port 3389.

Since December 2018, five new DDoS amplification sources have come to light. These include the Constrained Application Protocol (CoAP), the Web Services Dynamic Discovery (WS-DD) protocol, the Apple Remote Management Service (ARMS)Jenkins servers, and Citrix gateways.

According to the FBI, the first four have been abused in real-world attacks.