DDoSers abuse Microsoft RDP to make attacks more powerful

DDoS-for-location services abuse the Microsoft Remote Desktop protocol to increase the firepower of distributed denial of service attacks that cripple websites and other online services, a security firm said this week.

Commonly abbreviated as RDP, Remote Desktop Protocol is the foundation of a Microsoft Windows feature that allows one device to connect to another device over the Internet. RDP is primarily used by businesses to save employees the cost or hassle of being physically present when accessing a computer.

As is typically the case with many authenticated systems, RDP responds to connection requests with a much longer bit sequence that establishes a connection between the two parties. So-called startup / stress services, which for a fee will bombard internet addresses with enough data to take them offline, recently adopted RDP as a way to scale up their attacks, security firm Netscout said. .

Amplification allows attackers with modest resources to scale up the size of the data they direct to targets. The technique works by bouncing a relatively small amount of data back to the amplification service, which in turn reflects a much larger amount of data onto the final target. With a boost factor of 85.9 to 1, 10 gigabytes per second of requests directed to an RDP server will deliver approximately 860 Gbps to the target.

“Observed attack sizes range from ~ 20 Gbps to ~ 750 Gbps,” Netscout researchers wrote. “As is often the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to a bespoke DDoS attack infrastructure, RDP reflection / amplification has been militarized and added to the arsenals of what is called the booter / stressor-for-hire DDoS services, placing it within reach of the general population of attackers. “

DDoS amplification attacks date back decades. While legitimate Internet users collectively block a vector, attackers find new ones to take their place. DDoS amplifiers include open DNS resolvers, the WS-Discovery protocol used by IoT devices, and the Internet network time protocol. One of the most powerful amplification vectors in recent memory is the so-called memcached protocol which has a factor of 51,000 to 1.

DDoS amplification attacks work by using UDP network packets, which are easily spoofed on many networks. An attacker sends a request to the vector and spoofs the headers to give the impression that the request comes from the target. The amplification vector then sends the response to the target whose address appears in the spoofed packets.

There are approximately 33,000 RDP servers on the Internet that can be abused during amplification attacks, Netscout said. Besides using UDP packets, RDP can also rely on TCP packets.

Netscout recommended that RDP servers be accessible only through VPN services. In the event that RDP servers providing remote access over UDP cannot be immediately moved behind VPN concentrators, administrators should disable RDP over UDP as a temporary measure.

In addition to damaging the Internet as a whole, unsecured RDP can pose a danger to organizations that expose it to the Internet.

“The collateral impact of RDP reflection / amplification attacks is potentially quite high for organizations whose Windows RDP servers are being abused as reflectors / amplifiers,” Netscout explained. “This may include a partial or complete disruption of critical remote access services, as well as additional disruption of service due to consumption of transit capacity, exhaustion of the firewall state table with state, load balancers, etc. “