Septu comment: A relatively new type of #DDoS attack, reported by NETSCOUT, that amplifies its power by reflecting off Windows RDP servers. It’s a method that has been used for a while by ‘advanced threat actors’ but is now being used by less sophisticated players including those that offer DDoS-for-hire services.
As is often the case with DDoS mitigation, one problem you have is that if you simply block incoming traffic on the relevant port (in this case TCP/RDP 3389), then you risk losing legitimate traffic.
Windows Remote Desktop Protocol (RDP) servers are now being abused by DDoS-for-hire services to amplify Distributed Denial of Service (DDoS) attacks.
The Microsoft RDP service is a built-in Windows service running on TCP/3389 and/or UDP/3389 that enables authenticated remote virtual desktop infrastructure (VDI) access to Windows servers and workstations.
Attacks taking advantage of this new UDP reflection/amplification attack vector by targeting Windows servers with RDP enabled on UDP/3389 have an amplification ratio of 85.9:1 and peak at ~750 Gbps.
Around 14,000 vulnerable Windows RDP servers are reachable over the Internet according to a Netscout advisory published earlier today.
While at first it was only used by advanced threat actors, this newly discovered DDoS amplification vector is now being used by DDoS booters.
“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, RDP reflection/amplification has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population,” Netscout said.
Such platforms are used by threat actors, hacktivists, or pranksters without the skills or time to invest in building up their own DDoS infrastructure.
They rent booters’ services to launch large-scale DDoS attacks targeting servers or sites for various reasons, triggering a denial of service that commonly brings them down or causes disruption.
Mitigation measures
Organizations impacted by attacks abusing their Windows RDP servers as amplifiers can experience complete shutdown of remote-access services, as well as “additional service disruption due to transit capacity consumption, state-table exhaustion of stateful firewalls, load balancers, etc.”
While filtering all traffic on UDP/3389 can mitigate such attacks, this could also lead to legitimate connections and traffic being blocked, including RDP session replies.
To properly mitigate the impact of such attacks, organizations can either completely disable the vulnerable UDP-based service on Windows RDP servers or making the servers available only via VPN by moving them behind a VPN concentrator networking device.
Thus, at-risk organizations are also advised to implement DDoS defenses for public-facing servers to make sure that they can properly respond to an incoming RDP reflection/amplification DDoS attack.
In 2019, Netscout also observed DDoS attacks abusing the Apple Remote Management Service (ARMS) running on macOS servers as a reflection/amplification vector.
ARMS-abusing DDoS attacks spotted in the wild at the time peaked at 70 Gbps, with an amplification ratio of 35.5:1.
CISA provides guidance on how to avoid becoming a DDoS victim, how to detect DDoS attacks, as well as what actions to take while being DDoSed.