June 5, 2023

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to bounce and amplify junk traffic as part of DDoS attacks, security firm Netscout published.

Not all RDP servers can be abused, but only systems where RDP authentication is also enabled on UDP port 3389 on top of the standard TCP port 3389.

The attackers can send malformed UDP packets to the UDP ports of RDP servers that will be reflected to the target of a DDoS attack, amplified in size, resulting in junk traffic hitting the target’s system.

This is what security researchers call a DDoS amplification factor, and it allows attackers with access to limited resources to launch large-scale DDoS attacks by amplifying junk traffic with the help of internet exposed systems.

The amplification factor is 85.9, with the attackers sending a few bytes and generating “attack packets” that are “consistently 1,260 bytes in length.”

Administrators who run RDP servers exposed on the internet to take systems offline, switch them to the equivalent TCP port, or put the RDP servers behind VPNs in order to limit who can interact with vulnerable systems. 33,000 such servers exposed online currently

Recent attacks in to limelight include the Constrained Application Protocol (CoAP), the Web Services Dynamic Discovery (WS-DD) protocol, the Apple Remote Management Service (ARMS), Jenkins servers, and Citrix gateways.

Tags:

Leave a Reply

You may have missed

BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

June 4, 2023
Cisco buys Armorblox

Cisco buys Armorblox

June 3, 2023
CISA KEV Update Part I – May 2023

CISA KEV Update Part I – May 2023

June 3, 2023
Gigabyte Motherboards Backdoor’ed

Gigabyte Motherboards Backdoor’ed

June 3, 2023
MOVEit Vulnerability Exploited in Wild

MOVEit Vulnerability Exploited in Wild

June 2, 2023
%d bloggers like this: