Connect with us

Hi, what are you looking for?



Thousands of Unprotected RDP Servers Can Be Abused for DDoS Attacks

Cybercriminals have been abusing unprotected servers running Microsoft’s Remote Desktop Protocol (RDP) service to launch distributed denial-of-service (DDoS) attacks, application and network performance management company NETSCOUT warned this week.

Cybercriminals have been abusing unprotected servers running Microsoft’s Remote Desktop Protocol (RDP) service to launch distributed denial-of-service (DDoS) attacks, application and network performance management company NETSCOUT warned this week.

The Windows RDP service is designed to allow users to remotely connect to servers and other devices, often for performing maintenance, deploying updates, and providing help desk support.

Its usage increased significantly as more people work remotely due to the COVID-19 pandemic, which has also resulted in malicious actors increasingly targeting the service to gain access to corporate resources.

However, NETSCOUT warns that RDP has also been abused for UDP reflection and amplification attacks. Windows admins can configure RDP to run on TCP port 3389 or UDP port 3389, and if the latter is enabled, the system can be abused to launch DDoS attacks that have an amplification ratio of 85.9:1.

“The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker’s choice. In contrast to legitimate RDP session traffic, the amplified attack packets are consistently 1,260 bytes in length, and are padded with long strings of zeroes,” NETSCOUT explained in its alert.

The company has reported seeing roughly 14,000 unprotected RDP servers that can be abused for such attacks.

According to NETSCOUT, DDoS attacks that abuse RDP have already been used by DDoS-for-hire services. The firm has observed attacks ranging between approximately 20 and 750 Gbps.

Advertisement. Scroll to continue reading.

Organizations whose RDP servers are abused for DDoS attacks may experience partial or full disruption to important remote access services, and blocking traffic on UDP port 3389 may not be a good solution as it can lead to legitimate traffic getting blocked as well.

Enterprises have been advised to identify potentially abusable Windows RDP servers on their own networks and the networks of downstream customers, and take action to mitigate the risk. Administrators should either stop running the RDP service on UDP or place servers behind VPN concentrators to reduce the risk of abuse.

“Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural, and operational BCPs have been implemented, including situationally specific network access policies that only permit internet traffic via required IP protocols and ports. Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links,” NETSCOUT said.

UPDATE: NETSCOUT has updated its blog post with more information and it now says there are roughly 33,000 abusable RDP servers. 

Related: NXNSAttack: New DNS Vulnerability Allows Big DDoS Attacks

Related: Akamai, Amazon Mitigate Massive DDoS Attacks

Related: Attackers Use CoAP for DDoS Amplification

Related: Memcached Abused for DDoS Amplification Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...