ASERT Threat Summary

Date/Time: 20Jan2021 2000UTC
Severity: Warning
Distribution:
TLP: WHITE (Recipients may share TLP: WHITE information without restriction, subject only to standard copyright rules.)
Categories: Availability

Overview

The Microsoft Remote Desktop Protocol (RDP) service included in Microsoft Windows operating systems is intended to provide authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. The RDP service can be configured by Windows systems administrators to run on TCP/3389 and/or UDP/3389.

When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1. The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice. In contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, and are padded with long strings of zeroes. Approximately 33,000 abusable Windows RDP servers have been identified, to date.

Observed attack sizes range from ~20 Gbps – ~750 Gbps. As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, RDP reflection/amplification has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population.

Collateral Impact: 

The collateral impact of RDP reflection/amplification attacks is potentially quite high for organizations whose Windows RDP servers are abused as reflectors/amplifiers. This may include partial or full interruption of mission-critical remote-access services, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of stateful firewalls, load balancers, etc.

Wholesale filtering of all UDP/3389-sourced traffic by network operators may potentially overblock legitimate internet traffic, including legitimate RDP remote session replies.  

Mitigating Factors:

Collateral impact to abusable Windows RDP servers can alert systems administrators to either disable UDP-based service or to deploy Windows RDP servers behind VPN concentrators, thereby preventing them from being utilized in RDP reflection/amplification attacks.

Recommended Actions:

Network operators should perform reconnaissance to identify abusable Windows RDP servers on their networks and/or the networks of their downstream customers. It is strongly recommended that RDP servers should be accessible only via VPN services in order to shield them from abuse. If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is strongly recommended that RDP via UDP/3389 be disabled as an interim measure.

All relevant network infrastructure, architectural, and operational Best Current Practices (BCPs) should be implemented by network operators.

Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural, and operational BCPs have been implemented, including situationally specific network access policies that only permit internet traffic via required IP protocols and ports. Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.  

DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to organization’s servers/services/applications are incorporated into its DDoS defense plan. Both organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services in order to ensure maximal responsiveness and flexibility during an attack.

It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack and included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing Web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.

Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources; the relevant NETSCOUT Arbor account teams and/or ATAC may be consulted with regards to optimal countermeasure selection and employment.

Applicable NETSCOUT Arbor Solutions:  Arbor Sightline, Arbor TMS, Arbor AED, Arbor Cloud

References:

Microsoft Remote Desktop Service 

ASERT Threat Summary: Microsoft Remote Desktop Protocol (RDP) Reflection/Amplification DDoS Attack Mitigation Recommendations - January 2021 - v1.0.2