The security firm said this week that DDoS-for-rent services were misusing the Microsoft Remote Desktop protocol to increase the firepower of remotely-delivered-service attacks delivered by Microsoft.
Commonly abbreviated as RDP, the Remote Desktop Protocol is outlined for a Microsoft Windows feature that allows one device to log into another device over the Internet. RDP is used by businesses to save businesses the cost or hassle of being physically present when accessing computers.
As is typical with many authenticated systems, RDP responds to login requests with a very long sequence of bits that establish connections between the two parties. Security firm Netscout has said that so-called booter / strainer services, which will bombard the Internet with enough data to take addresses for a fee offline, have recently embraced the RDP.
Amplification only allows attackers with limited resources to consolidate the size of the data they direct to the target. The technique works by bouncing relatively small amounts of data into the amplifying service, reflecting a large amount of data at the end target. With an amplification factor of 85.9 to 1, an RDP will deliver approximately 860Gbps to a 10 gigabyte-per-second target of requests directed to the server.
Netscout researchers wrote, “Observations range in size from ~ 20 Gbps to ~ 750 Gbps.” “As is regularly the case with new DDoS attack vectors, it appears that after an initial period of employment by advanced attackers for the DDoS attack infrastructure, RDP reflection / amplification has been weaponized and the so-called booter / k arsenal. Added to. Stressful DDoS-for-hire services, keeping it within the reach of the general attacker population. “
The DDoS amplification attack dates back decades. As legitimate Internet users collectively block a vector, attackers find new ones to replace them. DDoS amplifiers include open DNS resolvers, the WS-Discovery protocol used by IoT devices, and the Internet’s network time protocol. Recently one of the most powerful amplification vectors in memory is the so-called memcoached protocol with a factor of 51,000 to 1.
DDoS amplification attacks work using UDP network packets, which are easily degraded on many networks. An attacker sends a request to the vector and messes up the header to indicate that the request came from the target. The amplification vector then sends a response to the target whose address appears in the spoofed packet.
There are about 33,000 RDP servers on the Internet that can be misused in amplification attacks, NetScout said. In addition to using UDP packets, RDP can also rely on TCP packets.
NetScout recommended that the RDP server be accessed only on virtual private network services. RDP servers offering remote access over UDP cannot be moved immediately behind VPN concentrators, in which case, administrators should disable RDP over UDP as an interim measure.
In addition to harming the Internet as a whole, insecure RDPs can be a threat to organizations that expose them to the Internet.
“The collateral effect of RDP reflection / amplification attacks is potentially significantly greater for organizations whose Windows RDP servers are misused as reflectors / amplifiers,” Netscout explained. “This may include partial or complete disruption of mission-critical remote-access services, as well as additional service disruption due to consumption of transit capacity, state-table exhaustion of stateful firewalls, load balancers, etc.”