Researchers at Netscout has discovered a new DDoS attacking vector, where the attackers are abusing the Windows RDP servers to amplify the junk traffic while hitting targets. The loophole in this is that RDP servers being exposed on port 3389, which would let attackers with fewer resources amplify general traffic into junk.
A New DDoS Attacking Vector
Netscout, a cybersecurity firm has released an alert on Tuesday, where it detailed a new DDoS attacking vector. The Distributed Denial of Service (DDoS) is about driving malicious traffic against a website or a server so that it crushes down on handling more than its capacity.
This bars genuine users from accessing the service while it’s down. Since attacking from a single device can be spotted easily, hackers often use multiple devices from various places to attack at once, thus being distributed and hard to trace. A new vector for doing this was spotted, where the attackers are using Windows RDP servers.
Here, they’re targeting the RDP servers that have the RDP authentication on, and with UDP port 3389 enabled over the general TCP port 3389. Starting it, attackers would initially send malformed UDP packets to the RDP servers, which are bounced back by UDP ports against the target’s system in amplified size.
As researchers spotted, attackers are able to amplify this attack in a great manner, since sending just a few bytes of the data request to RDP servers is returning about 1,260 bytes of attack packets against the target. This lets hackers with even low-end resources launch large scale attacks, thus it received an amplification factor of 85.9.
Attackers are abusing this so heavily that, it’s now added to the booter/stresser DDoS-for-hire services package, giving the general attackers a new choice. Thus, researchers are warning system admins to use VPNs on such vulnerable RDP servers or switch them to an equivalent TCP port or pull them offline for avoiding attacks.