Microsoft’s Remote Desktop Protocol (RDP) is actually used to connect several Windows computers with one another, but DDoS services abuse the protocol to carry out distributed denial-of-service attacks (DDoS) on other services.
According to the security firm Netscout, attackers are using Windows RDP systems to amplify DDoS attacks.
As is often the case with systems with authentication, the response to a request is significantly more extensive than the request itself. The DDoS services exploit this fact for so-called reflection or amplification attacks — they send fake data packets to a service and use the victim’s IP address as the source. The service replies automatically and sends a multiple of the data received to the victim’s IP address.
However, an incorrect sender address can only be set via UDP, since, unlike TCP, only packets are sent here, but a connection between the computers involved is not negotiated. In addition to RDP, the Domain Name Service (DNS) and NTP time synchronization have already been used in this way.
In the case of RDP, according to Netscout, the rate is 85.9 to 1. For example, if an attacker sends 1 GBit per second to an RDP service, it sends around 86 GBit per second to the victim. The scope of attacks already observed ranges from around 20 GBit/s up to 750 GBit/s, writes the research team from Netscout. In addition to the actual victim, the RDP servers can also be brought to their knees as collateral damage.
“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, RDP reflection/amplification has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population.” — summarizes Netscout.
In total, there are around 33,000 RDP servers on the Internet that could be misused for such attacks. If you want to protect yourself and others, you should run your RDP server as TCP-only.