Windows Remote Desktop servers hacked for use in DDoS attacks
Microsoft becomes the latest tech firm to have its resources misused
Microsoft is the latest major tech firm to find that its resources are being misused as part of a DDoS attack. It has been reported that Windows Remote Desktop Protocol (RDP) servers are being exploited to amplify attacks.
Application and network performance management firm Netscout revealed that attackers are utilizing a new UDP reflection/amplification attack vector built into the Windows RDP service to achieve an amplification ratio of 85.9:1 and peak at ~750 Gbps for their DDoS attacks.
“The collateral impact of RDP reflection/amplification attacks is potentially quite high for organizations whose Windows RDP servers are abused as reflectors/amplifiers,” a Netscout update reads. “This may include partial or full interruption of mission-critical remote-access services, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of stateful firewalls, load balancers, etc. Wholesale filtering of all UDP/3389-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate RDP remote session replies.”
- We've assembled a list of the best remote desktop solutions
- Check out our roundup of the best endpoint protection software
- Also, these are the best DDoS protection solutions on the market
Dealing with disruption
It now appears that the RDP reflection/application vector is being offered as a DDoS-for-hire service, making its way into the hands of threat actors who do not have the skill or inclination to build up their own DDoS infrastructure.
As Netscout mentioned, it is not only the victims of DDoS attacks that are affected by this misuse of Windows RDP servers.
Organizations that are having their resources exploited in this way can also face disruption. In order to mitigate any damage, businesses can choose to either disable the vulnerable UCP-based service or make the affected servers available only via VPN.
Late last year, it was discovered that cyberattackers had found a way to amplify their DDoS attacks by using Citrix’s ADC networking equipment.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
- We've also highlighted the best antivirus solutions
Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services. After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.