Windows RDP (Remote Desktop Protocol) servers are now used by DDoS-for-hire services while enhancing the Distributed Denial of Service attacks. According to Netscount advisory, more than 14000 Windows RDP servers are targetable through the internet.

Attackers are now taking advantage of this updated UDP amplification vector by simply targetting the Windows servers with Remote Desktop Servers enabled in UDP / 3389 with amplification of 85.9:1 and at a fixed peak of ~750 Gbps.

The Microsoft Remote Desktop Protocol service is a built-in Windows that was running on TCP/3389 or UPD/3389 which enables the authentication of a removed virtual desktop infrastructure (VDI) to workstations and Windows servers.

Netscout also said that this incident with new DDOS attack vectors is shown that after the initial period of employment by the advanced attackers with the access to bespoke Ddos attack and Remote Desktop Protocol reflection or amplification was weaponized and further added to the arsenal called as booter or stresser DDoS-for-hire-services.

Multiple hackers rent these types of services to imitate a large-scale attack that was used to target multiple servers and launching DOS that brings them down or do disruption.

These types of platforms are used by the threat actors, hackers, or pranksters without the time or skills used in investing and building up an own DDoS infrastructure.

Intensity Measures

Multiple organizations that were impacted by these attacks are experiencing complete shutdown from all the remote services, whereas additional service is introduced due to transit capacity consumption of state table exhaustion and stateful leaf balancers and firewalls.

While classifying these attacks occurs on UDP / 3389 can be used to mitigate such attacks. This would create illegal connections and entire traffic is blocked that also includes RDP sessions.

While examining these attacks properly the organizations have to disable the UPD- based services of Windows Remote Desktop Protocol completely and they have to make the servers available only through VPN by moving them in a concentrator network device respectively.

Experts also advised that the infected organizations had to implement DDoS defense while facing servers to make sure that they are working properly and responding to incoming RDP amplification or reflection DDOS attacks.

In 2019 Netscout also observed that Ddos attacks are used to abuse ARMS executing on macOS servers as an amplification vector.

ARMS (Apple Remote Management System) reported abused in a wild attack at the time peaked at 70 Gbps at the refection ration is 35.5:1.

Read the upcoming section to know if you are a part of this attack or not?

How do you recognize it?

As the symptoms of the Dos attacks are easily identifiable, it can resemble some non-malicious availability issues that include some technical problems on a particular network or the system administrator doing the maintenance. Where are some symptoms are listed below that you to identify Dos or DDOS attack?

• If you are the victim of this attack then your network performance is too slow while opening or accessing the websites.
• Some of the websites are unavailable and you make feel the inability while accessing the websites.

Along with that, the best way to identify Dos attack is through network traffics monitoring and analysis. It can be used to monitor firewall or intrusion detection system. An administrator may apply some rules that create an alert while detecting the malicious traffic load that indicates the Dos attack.

If these things happen with your system then you need to read the upcoming section.

What you do if you are encountering an attack?

If the above-mentioned things happened with your system then you need to contact the technical team for assistance or you can also do the things mentioned below;

• Call and contact your network administrator and check that if any kind of maintenance was running that also caused a service outage.
• Ask them to monitor your network traffic and confirm the availability of this attack
• Identify the source and apply firewall rules
• Reroute your traffic using Dos protection services
• Contact your Internet service provider to cross-check the outage on their end. They give you the proper advice while acting.

Judgment

Nowadays, hackers were rapidly planning and executing multiple attacks. In case you are the victim of an attack then don’t lose your sight with other hosts, services, assets connected through the same network. Multiple hackers were conducting this attack while deflecting the attention of users from their main targets and take this advantage of your deflection while conducting another attack on another device connected with your network.