Windows RDP Servers Targeted In DDoS Attacks

Windows Remote Desktop Protocol (RDP) servers are being used to weaponize ‘Distributed Denial of Service’ (DDoS) attacks.

Windows RDP Servers Exploited for DDoS Attacks

Windows Remote Desktop Protocol (RDP) servers are being used to weaponize ‘Distributed Denial of Service’ (DDoS) attacks. By default, the default TCP 3389 and / or UDP 3389 provides authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers.

These default ports, if used, are much easier to identify on remote networks (including over the internet) and from that those systems can be susceptible to ‘Distributed Denial of Service’ (DDoS) attacks.

What is a Distributed Denial of Service (DDoS) attack?

Distributed denial-of-service attacks target websites and online services. The aim is to overwhelm the processes running on them with more traffic than the server or network can accommodate, and therefore causing an outage or critical loss of service. Pinging a server from a single source will not cause a DDoS attack, but amplify that several thousand times by threat actors and severe loss of service can occur.

How to Prevent RDP Attacks

No server with Remote Desktop Services running should be configured with the default port and we recommend changing it immediately. The team, tools, and processes used at Tuearis Cyber can scan every device and easily identify which devices need to be corrected. Trust Tuearis and REST SECURED.

The following Powershell command will change the port to another selected port — we recommend using a nonstandard port.

Get-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “PortNumber”