Hackers Can Exploit Windows RDP Servers to Amplify DDoS Attacks

These days, Windows Remote Desktop Protocol (RDP) servers are being exploited by DDoS-for-hire services to expand Distributed Denial of Service (DDoS) attacks. However, we all know that  Microsoft is one of the latest major tech firms to check that all its resources are being ill-treated as part of a DDoS attack.

Cybersecurity researchers have recently reported that Windows Remote Desktop Protocol (RDP) servers are being misused to expand their attacks. According to the report, the Microsoft RDP service has a built-in Windows service that is specifically proceeding on TCP/3389 and UDP/3389.

All these services allow authenticated remote virtual desktop infrastructure (VDI) so that it can access Windows servers and workstations.

Security Impact

The security consequence of RDP reflection/amplification attacks is probably quite high for all those companies whose Windows RDP servers are damaged as reflectors/amplifiers.

Not only this, but it also includes partial or full obstruction of mission-critical remote-access services, as well as further service disruption due to transportation capacity consumption, state-table exhaustion of stateful firewalls, load balancers, etc.

Mitigating circumstances

The cybersecurity researchers affirmed that the security impact to abusable Windows RDP servers could inform the systems administrators to either disable UDP-based service or to expand Windows RDP servers behind VPN concentrators; so, the main point is to prevent them from being used in RDP reflection/amplification initiatives.


There are many actions that have been recommended by the cybersecurity researchers and here we have mentioned them below:

  • The network operators should always perform a survey to recognize abusable Windows RDP servers on their networks.
  • All relevant network foundation, architectural, and operational Best Current Practices (BCPs) should be performed by the network operators. 
  • Not only this, but the organizations with business-critical public-facing internet assets should guarantee that all-important network infrastructure, architectural, and operational BCPs have been performed, including situationally specific network access methods, which only allow internet traffic through required IP protocols and ports.
  • All the organizations that are possessing their resources exploited in this way can also tolerate disruption. So, to mitigate any damage, businesses can select to either disable the vulnerable UCP-based service or make the changed servers available only through VPN.
  • These attacks have a great impact and they are quite risky; therefore, at-risk organizations are also suggested to implement DDoS defenses for public-facing servers to make sure that they can accurately respond to an incoming RDP reflection/amplification DDoS attack.

Moreover, the cybersecurity firm, Netscout asserted that attackers could transfer malformed UDP packets to all the UDP ports of RDP servers that will eventually be reflected as the target of a DDoS attack, expanded in size, appearing in junk traffic crashing the target’s system.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.