Accessible MS-RDPEUDP

LAST UPDATED: 2022-08-29

Microsoft RDPEUDP is an extension to allow UDP transport for Microsoft Remote Desktop Protocol service (RDP), which by default uses TCP port 3389.

Exposed RDPEUDP services can be used as reflectors in DDoS amplification attacks. The response to the initial request packet is amplified ~28 times, with the protocol sending that response 3 times. As of January 2021, this service has been found to be abused in ongoing network attacks.

The scan was first announced in a January 25th 2021 blog entry here.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename(s): scan_rdpeudp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the RDP response came on (always UDP)
  • port
    Port that the RDP response came from (usually 3389)
  • hostname
    Reverse DNS name of the device in question (if available)
  • tag
    always set to rdpeudp
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • sessionid
    The 4 byte session id that is included in the transaction
  • response_size
    Response size in bytes
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)

Sample

"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","sessionid","response_size","amplification"
"2010-02-10 00:00:00",192.168.0.1,udp,3389,node01.example.com,rdpeudp,64512,ZZ,Region,City,0,0,052d97ac,1232,77.00
"2010-02-10 00:00:01",192.168.0.2,udp,3389,node02.example.com,rdpeudp,64512,ZZ,Region,City,0,0,05c1afa0,1232,77.00
"2010-02-10 00:00:02",192.168.0.3,udp,3389,node03.example.com,rdpeudp,64512,ZZ,Region,City,0,0,0595b068,1232,77.00

Our 130 Report Types

« Back to Network Reporting