Attackers Exploit Windows RDP to Amplify DDoS Traffic by 86 Times

Security experts at Netscout have observed that attackers are using Windows RDP systems to amplify DDoS attacks. Not all RDP servers are vulnerable to this abuse—only those where authentication is enabled not just for the standard TCP port 3389, but also for UDP port 3389.

According to researchers, the amplification factor in such attacks reaches 85.9 (up to 750 Gbps). This means that attackers can send packets of just a few bytes and generate “attack packets” of 1260 bytes in size. This amplification rate puts RDP on par with other powerful DDoS amplification vectors such as Jenkins (100), DNS (up to 179), WS-Discovery (300-500), and NTP (550).

Experts note that the use of RDP for attack amplification is already becoming widespread. Even more concerning, Netscout has identified over 14,000 RDP servers on the internet operating on UDP port 3389.

“As is usually the case with new DDoS attack vectors, after an initial period of use by advanced attackers with access to their own DDoS infrastructure, RDP reflection/amplification has been adopted and added to the arsenal of ‘DDoS-as-a-service’ providers, making this new vector available to the majority of attackers,” the experts warn.