{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-005.pdf"
    },
    "title": "Use of Remote Desktop Protocol in DDoS Attacks",
    "serial_number": "2021-005",
    "publish_date": "26-01-2021 19:37:00",
    "description": "DDoS attacks were observed recently, where Microsoft Remote Desktop Protocol (RDP) was abused in order to reflect and amplify the amount of bandwidth involved. This is not a vulnerability by itself, but an abuse of the RDP protocol design. Attacks using this technique were observed with sizes range from 20-750 Gbps.",
    "url_title": "2021-005",
    "content_markdown": "---\ntitle: 'Use of Remote Desktop Protocol in\u00a0DDoS\u00a0Attacks'\nversion: '1.0'\nnumber: '2021-005'\ndate: 'January 26, 2021'\n---\n\n_History:_\n\n* _26/01/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nDDoS attacks were observed recently, where Microsoft Remote Desktop Protocol (RDP) was abused in order to reflect and amplify the amount of bandwidth involved. This is not a vulnerability by itself, but an abuse of the RDP protocol design [1]. Attacks using this technique were observed with sizes range from 20-750 Gbps [2].\n\n# Technical Details\n\nThe Remote Desktop Protocol (RDP) service is included in Microsoft Windows operating systems. It provides authenticated remote access to Windows-based workstations and servers. RDP can be configured to run on TCP and/or UDP. By default both use port 3389.\n\nWhen enabled on UDP, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1. The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker\u2019s choice.\n\nThe collateral impact of RDP reflection/amplification attacks affects also the organizations whose Windows RDP servers are abused as reflectors/amplifiers. This may include partial or full interruption of mission-critical remote-access services, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of stateful firewalls, load balancers, etc. Filtering of all UDP/3389-sourced traffic by network operators may potentially block also legitimate traffic, including legitimate RDP remote session replies [2].\n\n# Affected Products\n\nMicrosoft RDP server instances exposed on the Internet.\n\n# Recommendations\n\nIt is recommended that RDP servers to be accessible only via VPN services in order to protect them against this attack, but also against other types of abuse[5]. Alternatively RDP traffic can be tunneled through SSH as described in [3].\n\nAllowing RDP only on TCP, filtering IP sources, and changing the listening port for RDP can be considered as mitigation measures [4, 5].\n\n# References\n\n[1] <https://arstechnica.com/information-technology/2021/01/ddosers-are-abusing-microsoft-rdp-to-make-attacks-more-powerful/>\n\n[2] <https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification>\n\n[3] <https://www.saotn.org/tunnel-rdp-through-ssh/>\n\n[4] <https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port>\n\n[5] <https://www.techrepublic.com/article/how-to-better-secure-your-microsoft-remote-desktop-protocol-connections/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>26/01/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>DDoS attacks were observed recently, where Microsoft Remote Desktop Protocol (RDP) was abused in order to reflect and amplify the amount of bandwidth involved. This is not a vulnerability by itself, but an abuse of the RDP protocol design [1]. Attacks using this technique were observed with sizes range from 20-750 Gbps [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The Remote Desktop Protocol (RDP) service is included in Microsoft Windows operating systems. It provides authenticated remote access to Windows-based workstations and servers. RDP can be configured to run on TCP and/or UDP. By default both use port 3389.</p><p>When enabled on UDP, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1. The amplified attack traffic consists of non-fragmented UDP packets sourced from UDP/3389 and directed towards the destination IP address(es) and UDP port(s) of the attacker\u2019s choice.</p><p>The collateral impact of RDP reflection/amplification attacks affects also the organizations whose Windows RDP servers are abused as reflectors/amplifiers. This may include partial or full interruption of mission-critical remote-access services, as well as additional service disruption due to transit capacity consumption, state-table exhaustion of stateful firewalls, load balancers, etc. Filtering of all UDP/3389-sourced traffic by network operators may potentially block also legitimate traffic, including legitimate RDP remote session replies [2].</p><h2 id=\"affected-products\">Affected Products</h2><p>Microsoft RDP server instances exposed on the Internet.</p><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended that RDP servers to be accessible only via VPN services in order to protect them against this attack, but also against other types of abuse[5]. Alternatively RDP traffic can be tunneled through SSH as described in [3].</p><p>Allowing RDP only on TCP, filtering IP sources, and changing the listening port for RDP can be considered as mitigation measures [4, 5].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://arstechnica.com/information-technology/2021/01/ddosers-are-abusing-microsoft-rdp-to-make-attacks-more-powerful/\">https://arstechnica.com/information-technology/2021/01/ddosers-are-abusing-microsoft-rdp-to-make-attacks-more-powerful/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification\">https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.saotn.org/tunnel-rdp-through-ssh/\">https://www.saotn.org/tunnel-rdp-through-ssh/</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port\">https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.techrepublic.com/article/how-to-better-secure-your-microsoft-remote-desktop-protocol-connections/\">https://www.techrepublic.com/article/how-to-better-secure-your-microsoft-remote-desktop-protocol-connections/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}