Rental DDoS services are abusing the Microsoft Remote Desktop Protocol to increase the firepower of distributed denial-of-service attacks that paralyze websites and other online services, a security company said this week.
Usually abbreviated as RDP, Remote Desktop Protocol is the basis for a Microsoft Windows feature that allows one device to log into another device over the Internet. RDP is used primarily by companies to save employees the cost or hassle of having to be physically present when accessing a computer.
As is typical of many authenticated systems, RDP responds to login requests with a much longer sequence of bits that establish a connection between the two parties. So-called startup / stress services, which for a fee will bomb Internet addresses with enough data to take them offline, recently adopted RDP as a means of amplifying their attacks, security firm Netscout said.
Amplification allows attackers with modest resources to reinforce the size of the data they target. The technique works by returning a relatively small amount of data to the amplification service, which in turn reflects a much larger amount of data at the final destination. With an amplification factor of 85.9 to 1, 10 gigabytes per second of requests directed to an RDP server will deliver approximately 860 Gbps to the destination.
“The observed attack sizes range from ~ 20 Gbps – ~ 750 Gbps,” wrote the Netscout researchers. “As is routinely the case with more recent DDoS attack vectors, it seems that after an initial period of employment by advanced attackers with access to the tailored DDoS attack infrastructure, the RDP reflection / amplification has been turned into a weapon and added to the so-called arsenals booter / stressful rental DDoS services, putting them within reach of the general attacker population. “
DDoS amplification attacks date back decades. As legitimate Internet users collectively block a vector, attackers find new ones to replace them. DDoS amplifiers include open DNS resolvers, the WS-Discovery protocol used by IoT devices and the Internet Network Time Protocol. One of the most powerful amplification vectors in recent memory is the so-called memcached protocol, which has a factor of 51,000 to 1.
DDoS amplification attacks work using UDP network packets, which are easily spoofed on many networks. An attacker sends a request to the vector and falsifies the headers to give the impression that the request came from the destination. The amplification vector then sends the response to the target whose address appears on the counterfeit packets.
There are about 33,000 RDP servers on the Internet that can be used in amplification attacks, said Netscout. In addition to using UDP packets, RDP can also rely on TCP packets.
Netscout recommended that RDP servers be accessible only by virtual private network services. If RDP servers that offer remote UDP access cannot be moved immediately behind VPN hubs, administrators should disable RDP over UDP as an interim measure.
In addition to harming the Internet as a whole, unsafe RDP can be a danger to organizations that expose them to the Internet.
“The collateral impact of RDP reflection / amplification attacks is potentially very high for organizations whose Windows RDP servers are used as reflectors / amplifiers,” explained Netscout. “This may include partial or total interruption of mission critical remote access services, as well as interruption of additional service due to the consumption of traffic capacity, exhaustion of the state table of stateful firewalls, load balancers, etc.”