Threat Watch

Windows RDP Servers Being Used to Amplify DDoS Attacks

A report released by Netscout on Tuesday, January 19th outlined how threat actors are using Remote Desktop Protocol (RDP) servers to amplify their Distributed Denial of Service (DDoS) attacks. Not all RDP servers can be abused—for the amplification to succeed, RDP authentication would also have to be enabled on UDP port 3389 in addition to the standard TCP port 3389, and the RDP server would have to be directly accessible from the Internet. Attackers leverage this by sending malformed UDP packets to the RDP server that are reflected back to the target of the DDoS. The packets are amplified in size by a factor of 85.9. This amplification factor allows threat actors to send small amounts of data to the server, which results in a large amount of data being sent to the target.


It is recommended that administrators that find their RDP servers are vulnerable to be abused to support these attacks should take systems offline and switch them to the equivalent TCP port or put their RDP servers behind VPNs to limit who can access the server. In general, RDP should always be secured behind a VPN or well-configured RDP Gateway server and not be exposed directly to the Internet. DDoS attacks are used by attackers to flood networks with traffic, taking them offline. Often times, attackers will use this attack to distract companies and compromise a server in the background to steal data from it, resulting in a data breach. Companies should utilize monitoring such as Binary Defense’s Managed Detection and Response to monitor their servers and workstations for abnormalities 24/7 and respond quickly to keep an attacker’s initial access from becoming a complete domain takeover.

More can be read here: