Internet Accessible MS-RDPEUDP Service.

Description

The Remote Desktop Protocol (RDP) is a proprietary protocol developed by the Microsoft Corporation, that is included in the Windows Operating System. RDP is intended to provide authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. Microsoft RDPEUDP (MS-RDPEUDP), uses the User Datagram Protocol (UDP) as its generic carrier. MS-RDPEUDP is an extension to the Microsoft Remote Desktop Protocol (MS-RDP), that uses the Transmission Control Protocol (TCP) as its generic carrier.

MS-RDP listens on port 3389/TCP. MS-RDPEUDP listens on port 3389/UDP.

Problem

An Internet Accessible MS-RDPEUDP service that is enabled on port 3389/UDP, may be abused for a Distributed Denial-of-Service (DDoS) Reflection/Amplification attack against a third party.

The MS-RDPEUDP service has a Bandwidth Amplification Factor (BAF) of 85.9:1.

The Microsoft RDPEUDP Service

The MS-RDP service is designed to facilitate user interaction with a remote computer system by transferring graphics display information from the remote computer to the user and transporting input from the user to the remote computer, where it may be injected locally. The RDP console is graphical and human driven.

The MS-RDPEUDP service was introduced with RDP Version 8 together with Windows 8 and Windows Server 2012 R2, and is an extension to allow the RDP service over UDP, with the objective of improving the performance of the network connectivity compared to a corresponding RDP over TCP connection, especially on wide area networks (WANs) or wireless networks.

Due to MS-RDPEUDP use of UDP as its generic carrier, MS-RDPEUDP is not subjected to the TCP network congestion control and avoidance algorithm. Congestion control is a reactive algorithm that dynamically adjusts the rate at which data is sent, in order to reduce the amount of network congestion and packet loss. MS-RDPEUDP has the added advantage of lower latency, this is the time taken to transmit a packet of data, from when the data is sent to when that data is received, and is quantified as a timespan. MS-RDPEUDP can process high volumes of data with minimal delay. Between 2 and 8 times more data can be processed in the same time compared to TCP.

The MS-RDPEUDP service has two distinct phases of operation. The initial phase, UDP Connection Initialisation occurs when a UDP connection is initialised between the terminal client and the terminal server. Data pertaining to the connection is exchanged and the UDP connection is set up. Once this phase is completed successfully, the protocol enters the UDP data transfer phase, where Coded Packets are exchanged.

MS-RDPEUDP can operate in one of two modes. The operational mode is determined during the UDP connection initialisation phase.

MS-RDPEUDP Modes of Operation

No. Modes of Operation
1. RDP-UDP-R or "Reliable" Mode: In this mode, the endpoint retransmits datagrams that have been lost by the underlying network fabric.
2. RDP-UDP-L or "Best-Efforts" Mode: In this mode, the reliable delivery of datagrams is not guaranteed, and the endpoint does not retransmit datagrams.

The protocol's two communicating parties, the endpoints of the UDP connection, are peers and use the same protocol. The connection between the two endpoints is bidirectional - data can be transmitted in both directions simultaneously. Logically, each single connection can be viewed as two unidirectional connections. Both of these unidirectional connections are symmetrical and each endpoint has both a Sender and a Receiver entity.

The MS-RDPEUDP payload delivered in a Distributed Denial-of-Service (DDoS) Reflection/Amplification attack consists of non-fragmented UDP packets of 1,260 bytes in length and are padded with long strings of zeros.

Verification

with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.

Nmap - (Network Mapper) - (https://nmap.org)

To confirm an Internet accessible MS-RDPEUDP service, the 'Nmap' open source network scanner utility program can be utilised.

Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.

Insert the IP address of the host you wish to check for an Internet accessible MS-RDPEUDP service when invoking the 'Nmap' open source network scanner utility program together with the options as included in the following example.

$ sudo nmap -sV -sU -p 3389 xxx.xxx.xxx.xxx

An Internet accessible MS-RDPEUDP service listening on port 3389/UDP will return information similar to that as shown below:

$ sudo nmap -sV -sU -p 3389 xxx.xxx.xxx.xxx
Starting Nmap 7.01 ( https://nmap.org ) at 2021-06-1 16:35 GMT
Nmap scan report for xxx.xxx.xxx.xxx
Host is up.

PORT     STATE SERVICE  VERSION
3389/udp open|filtered ms-wbt-server

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds

Options
sudo	:Elevated privileges are required to access raw sockets.
-sV	:Probe open ports to determine service/version info.
-sU  	:UDP Scan.
-p	:Only scan specified port.

Solution

If the MS-RDPEUDP service is not required, disable it or deinstall it.

If the MS-RDPEUDP service is required, restrict access to trusted clients or specific IP addresses.

If the Remote Desk Protocol is required, it is recommended that MS-RDP over TCP be used.

In order to limit who can interact with an Internet Accessible MS-RDPEUDP Service, It is recommended that MS-RDPEUDP servers should only be accessible via a Virtual Private Network (VPN).

Supplementary Information

Ingress & Egress Filtering

Filter Description
Ingress Filtering Ingress filtering is a simple and effective method to limit the impact of DoS attacks,  by denying traffic with a forged IP source address (IP spoofing) access to the network,  and to help ensure that traffic is traceable to its correct network.
Egress Filtering Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network.  Port used for remote syslog capture

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations.  Additional information on Ingress & Egress Filtering can be found at the following link - Ingress & Engress Filtering

UDP Based Denial-of-Service (DoS) Attack

The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a number of properties that makes it susceptible to exploitation for DoS attacks against third parties.   Additional information on the components and techniques deployed in an UDP based DoS attack can be found at the following link - UDP Based Denial-of-Service (DoS) Attack

Additional Information

Internet Engineering Task Force (IETF) - RFC1831 - Remote Procedure Call Protocol Specification
Shadowserver - Accessible Remote Desktop Protocol Scanning Project
Cyberpark - Explain Like I'm 5: Remote Desktop Protocol (RDP)
Remote Desktop Protocol: UDP Transport Extension
Understanding the Remote Desktop Protocol (RDP)
MP-Research - RDP-UDP (MS-RDPEUDP) Protocol
Microsoft - MS-RDPEUDP Overview
What is RDP? And how to use it
Microsoft - RDP-UDP Protocol