Enlarge /. Hacker attacks server or database. Network security, database security and personal data protection
DDoS-for-hire services are abusing Microsoft Remote Desktop Protocol to increase the firepower of distributed denial-of-service attacks that cripple websites and other online services, a security firm said this week.
The Remote Desktop Protocol is usually abbreviated as RDP and is the foundation of a Microsoft Windows feature that allows a device to log into another device over the Internet. RDP is primarily used by businesses to save employees the cost or hassle of having to be physically present when accessing a computer.
As is common with many authenticated systems, RDP responds to login requests with a much longer sequence of bits that establish a connection between the two parties. So-called booter / stresser services, which bombard Internet addresses with enough data for a fee to take them offline, recently introduced RDP as a means of amplifying their attacks, said security firm Netscout.
Reinforcement allows attackers with modest resources to increase the size of the data they direct on targets. The technique works by discarding a relatively small amount of data on the Repeater Service, which in turn reflects a much larger amount of data on the ultimate destination. With a gain of 85.9 to 1, 10 gigabytes per second of requests directed to an RDP server deliver approximately 860 Gbps to the destination.
"The attack sizes observed range from ~ 20 Gbit / s to ~ 750 Gbit / s," wrote Netscout researchers. "As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, RDP reflection / reinforcement has been armed and added to the arsenals of the so-called booters /. Stricter DDoS for hire services that are accessible to the general attacker population. "
DDoS reinforcement attacks go back decades. As legitimate internet users collectively block a vector, attackers can find new ones to take their place. DDoS amplifiers include open DNS resolvers, the WS Discovery protocol used by IoT devices, and the Internet's Network Time Protocol. One of the most powerful gain vectors in current memory is the so-called memcached protocol with a factor of 51,000 to 1.
DDoS reinforcement attacks work using UDP network packets, which can be easily forged on many networks. An attacker sends a request to the vector and forges the headers to give the impression that the request came from the target. The gain vector then sends the response to the destination whose address appears in the forged packets.
According to Netscout, there are around 33,000 RDP servers on the Internet that can be misused in reinforcement attacks. In addition to using UDP packets, RDP can also rely on TCP packets.
Netscout recommended accessing RDP servers only through virtual private network services. If RDP servers that offer remote access over UDP cannot be immediately moved behind VPN concentrators, administrators should disable RDP over UDP as a temporary measure.
Unsecured RDPs can not only harm the Internet as a whole, but also pose a threat to the organizations that expose it to the Internet.
"The collateral impact of RDP reflection / reinforcement attacks can be quite high for companies whose Windows RDP servers are being abused as reflectors / amplifiers," explained Netscout. "This can include a partial or total disruption of mission-critical remote access services, as well as an additional disruption to service due to the consumption of transit capacity, depletion of government firewalls, load balancers, etc. in the table."