Among all the attacks that we can find on the network, DDoS has increased a lot in recent years. This is an issue that is intended to cause a denial of services. For example, you can make a web page unavailable to users. They send a multitude of requests for it to collapse. In this article, we cover how Windows Remote Desktop Servers are used to scale up DDoS attacks .
They use Windows remote desktop servers in DDoS
Keep in mind that all remote services have gained popularity in recent times. The Covid-19 pandemic has brought important changes and one of them is in the way we connect to the Internet, communicate and, also, work. This represents an opportunity for cybercriminals, who find new methods to exploit their attacks. At the end of the day, they tend to attack what has more users.
This time it’s Windows Remote Desktop (RDP). They use it for the purpose of amplifying distributed denial of service (DDoS) attacks. The RDP service is built into the Windows operating system and uses TCP 3389 and / or UDP 3389 ports. It allows authenticated access to the virtual desktop infrastructure to servers and workstations.
According to Netscout , there are around 14,000 vulnerable Windows RDP servers that can be accessed through the Internet. They are now used by this new DDoS amplification vector. It has been added as a weapon of what are known as booters, rental DDoS services. This makes it available to the general population.
They rent boot service to launch large-scale DDoS attacks targeting servers or sites that can have different reasons, triggering a denial of service that commonly knocks them down or causes outages.
How to avoid this problem and be protected
An organization that is affected by this DDoS attack amplification problem by leveraging Windows RDP servers could experience complete blockage of remote access services, as well as continuous outages.
You can avoid this problem by creating a filter of all traffic on UDP 3389. You could mitigate these attacks, but you could also block legitimate connections and traffic, which includes responses from the RDP session.
Another option is to completely disable the vulnerable UDP-based service on Windows RDP servers or make the servers available only through VPN by moving them behind a VPN hub network device.
Similarly, it is also recommended that at-risk organizations implement DDoS defenses for public servers to ensure that they can respond appropriately to an incoming DDoS attack.
It is important to always avoid these types of attacks. In another article we talked about how to mitigate DDoS attacks on servers. A series of recommendations that we must put into practice so as not to compromise security and not have problems on the network.