Windows RDP servers are compromised for DDoS attacks

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to bounce and amplify junk traffic as part of DDoS attacks. RDP is a part of the Microsoft Windows OS that provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. System administrators can configure RDP to run on TCP port 3389 and/or UDP port 3389.

Attackers can send the amplified attack traffic, which is comprised of non-fragmented UDP packets that originate at UDP port 3389, to target a particular IP address and UDP port of choice, researchers said.

As per Netscout, attackers can send malformed UDP packets to the UDP ports of RDP servers that will be reflected to the target of a DDoS attack, amplified in size, resulting in junk traffic hitting the target's system and it allows attackers with access to limited resources to launch large-scale DDoS attacks by amplifying junk traffic with the help of internet exposed systems.’

This is what security researchers call a DDoS amplification factor, and it allows attackers with access to limited resources to launch large-scale DDoS attacks by amplifying junk traffic with the help of internet exposed systems.

Netscout is now asking system administrators who run RDP servers exposed on the internet to take systems offline, switch them to the equivalent TCP port, or put the RDP servers behind VPNs in order to limit who can interact with vulnerable systems.

Currently, Netscout said it is detecting more than 33,000 RDP servers exposed online and running on UDP port 3389.