Accessible MS-RDPEUDP

Microsoft RDPEUDP is an extension to allow UDP transport for Microsoft Remote Desktop Protocol service (RDP), which by default uses TCP port 3389.

Exposed RDPEUDP services can be used as reflectors in DDoS amplification attacks. The response to the initial request packet is amplified ~28 times, with the protocol sending that response 3 times. As of January 2021, this service has been found to be abused in ongoing network attacks.

The scan was first announced in a January 25th 2021 blog entry here.

For more information on our scanning efforts, check out our Internet scanning summary page.

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the RDP response came on (always UDP)
  • port
    Port that the RDP response came from (usually 3389)
  • hostname
    Reverse DNS name of the device in question (if available)
  • tag
    always set to rdpeudp
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • sessionid
    The 4 byte session id that is included in the transaction

Sample

"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","sessionid"
"2021-01-20 13:18:51","104.207.x.x","udp",3389,"104.207.vultr.com","rdpeudp",20473,"US","ILLINOIS","ELK GROVE VILLAGE",518210,,"05d459c3"
"2021-01-20 13:18:51","87.237.x.x","udp",3389,"87.237.static.ip.etc.uz","rdpeudp",39032,"UZ","TASHKENT CITY","TASHKENT",0,,05344769
"2021-01-20 13:18:52","79.143.x.x","udp",3389,"x.contaboserver.net","rdpeudp",51167,"DE","BAYERN","MUNICH",518210,,"05e43b25"
"2021-01-20 13:18:52","106.13.x.x","udp",3389,,"rdpeudp",38365,"CN","ZHEJIANG SHENG","LISHUI",518210,,"055f5d9a"
"2021-01-20 13:18:54","104.166.x.x","udp",3389,,"rdpeudp",46261,"US","CALIFORNIA","LOS ANGELES",518210,,"05cbbe23"
"2021-01-20 13:18:55","213.32.x.x","udp",3389,"ip126.ip-213.eu","rdpeudp",16276,"FR","HAUTS-DE-FRANCE","ROUBAIX",518210,,"05af765f"
"2021-01-20 13:18:57","5.193.x.x","udp",3389,,"rdpeudp",5384,"AE","SHARJAH","SHARJAH",517311,,"05cc7d27"
"2021-01-20 13:18:58","106.55.x.x","udp",3389,,"rdpeudp",45090,"CN","BEIJING SHI","HAIDIAN",518210,,"05db34aa"
"2021-01-20 13:18:58","129.211.x.x","udp",3389,,"rdpeudp",45090,"CN","BEIJING SHI","HAIDIAN",518210,,"05fd24d9"
"2021-01-20 13:18:59","122.228.x.x","udp",3389,,"rdpeudp",134771,"CN","ZHEJIANG SHENG","WENZHOU",517311,,05186877
"2021-01-20 13:19:01","129.232.x.x","udp",3389,,"rdpeudp",37153,"ZA","WESTERN CAPE","DURBANVILLE",0,,"057c5ade"
"2021-01-20 13:19:01","91.200.x.x","udp",3389,,"rdpeudp",30823,"DE","HESSEN","FRANKFURT AM MAIN",0,,"05170df9"

Our 111 Report Types