DDoS-for-hire services abuse the Microsoft Remote Desktop Protocol to increase the firepower of distributed denial-of-service attacks that cripple websites and other online services, a security firm said this week.
Commonly abbreviated as RDP, Remote Desktop Protocol is the basis for a Microsoft Windows feature that allows one device to log in to another device over the Internet. RDP is most commonly used by companies to save employees the expense or hassle of having to be physically present when accessing a computer.
As is common with many authenticated systems, RDP responds to login requests with a much longer string of bits establishing a connection between the two parties. So-called booter/stresser services, which for a fee bombard Internet addresses with enough data to take them offline, have recently embraced RDP as a means of amplifying their attacks, according to security firm Netscout.
The amplification allows attackers with only modest resources to amplify the volume of data they target at targets. The technique works by bouncing a relatively small amount of data to the amplification service, which in turn reflects a much larger amount of data onto the ultimate target. With a gain of 85.9 to 1, 10 gigabytes-per-second of requests directed to an RDP server delivers approximately 860 Gbps to the target.
“Observed attack sizes range from ~20 Gbps – ~750 Gbps,” Netscout researchers wrote. “As is routinely the case with newer DDoS attack vectors, after an initial period of employment by advanced attackers with access to custom DDoS attack infrastructure, RDP reflection/amplification has been weaponized and added to the arsenal of so-called booter/ emphasize DDoS-for-hire services, bringing it within reach of the general attacker population.”
DDoS amplification attacks date back decades. While legitimate internet users collectively block one vector, attackers find new ones to take their place. DDoS amplifiers include open DNS resolvers, the WS-Discovery protocol used by IoT devices, and the Internet’s Network Time Protocol. One of the most powerful amplification vectors in recent memory is the so-called memcached protocol which has a factor of 51,000 to 1.
DDoS amplification attacks work using UDP network packets, which can be easily forged on many networks. An attacker sends the vector a request and spoofs the headers to give the impression that the request came from the target. The gain vector then sends the response to the target whose address is in the forged packets.
There are about 33,000 RDP servers on the Internet that can be exploited in amplification attacks, Netscout said. In addition to using UDP packets, RDP can also rely on TCP packets.
Netscout recommended making RDP servers accessible only through virtual private network services. In the event that RDP servers providing remote access over UDP cannot be placed immediately behind VPN concentrators, administrators should disable RDP over UDP as an interim measure.
In addition to harming the Internet as a whole, unsecured RDP can also pose a threat to the organizations that expose them to the Internet.
“The additional impact of RDP reflection/amplification attacks is potentially quite high for organizations whose Windows RDP servers are being exploited as reflectors/amplifiers,” explains Netscout. “This can include partial or complete disruption of mission-critical remote access services, as well as additional service disruptions due to transit capacity consumption, exhaustion of stateful firewalls, load balancers, etc.”