MCP Insights

Cybersecurity Threat Advisory: Threat Actors Abusing Windows RDP Servers

Posted on February 4, 2021 by Mike Beagles

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week there is a new critical alert that requires the mission-critical community’s immediate attention.

Advisory Overview

The Remote Desktop Protocol (RDP) service for Microsoft Windows devices operating on User Datagram Protocol (UDP) port 3389 can be used in an amplified attack, potentially resulting a distributed denial of service (DDoS) attack on a target. A system that is involved in, or is the target of, such an attack could experience partial or total degradation in usability. It is recommended that RDP services be available exclusively via virtual private network (VPN) services. If that is impossible, then RDP via UDP port 3389 should be blocked.

What is the threat?

The vulnerability exists in the RDP service for Windows, which, when enabled on UDP port 3389, can be used to launch UDP reflection/amplification attacks. This means that an attacker can amplify a low amount of input into a DDoS attack. By doing so, the attacker can direct an inordinately large amount of “junk” traffic to a destination of their choosing. This can result in partial or total loss of function for the devices that are affected.

Why is this noteworthy?

A DDoS attack, while a relatively rudimentary cybersecurity threat, still can cause extensive pain to both the attacker’s target and the devices being used as part of the attack. NetScout, which originally released the report of this vulnerability, has detected more than 33,000 abusable Windows RDP servers to date. This vulnerability is also noteworthy through the lens of general RDP security. Several compromises recently were observed that stemmed from improper security posture pertaining to RDP services. RDP is a very common attack vector in many compromises; if not properly secured, it could result in a breach by something as simple as a brute-force attack. It is common for attacks like these to be offered as a service by cyberattackers, leasing their botnet out to perform these attacks for the highest bidder.

What is the exposure?

If UDP port 3389 is not properly secured, or if RDP is not positioned behind a VPN concentrator, it could result in significant degradation of services if an entity is targeted by a DDoS attack. While the exact nature of the degradation depends on the criticality of the target, a device being rendered partially or totally unusable due to an attack can represent a threat. This can be particularly damaging to a brand if their publicly available infrastructure (e.g., websites) is taken offline regularly or for extended periods of time. Also, if the organization operates as a service, an inability to perform said service also could reflect negatively on the organization.

What are the recommendations?

The recommendations for this vulnerability are relatively straightforward. NetScout recommends that organizations should make their RDP services available exclusively via VPN services if possible, as such a configuration would protect them from this attack. If this is impossible or infeasible, the secondary recommendation is to disable RDP via UDP port 3389. However, it is important to note that if your organization utilizes RDP via UDP port 3389, this will prevent legitimate access as well.

Mike Beagles is MCP’s platform and service product manager and a certified Cisco CyberOps associate. He has more than 13 years of IT and cybersecurity experience. Mike can be emailed at

Subscribe to Newsletter