A report released by Netscout on Tuesday, January 19th outlined how threat actors are using Remote Desktop Protocol (RDP) servers to amplify their Distributed Denial of Service (DDoS) attacks. Not all RDP servers can be abused—for the amplification to succeed, RDP authentication would also have to be enabled on UDP port 3389 in addition to the standard TCP port 3389, and the RDP server would have to be directly accessible from the Internet. Attackers leverage this by sending malformed UDP packets to the RDP server that are reflected back to the target of the DDoS. The packets are amplified in size by a factor of 85.9. This amplification factor allows threat actors to send small amounts of data to the server, which results in a large amount of data being sent to the target.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in