HIGH: Accessible MS-RDPEUDP

DESCRIPTION LAST UPDATED: 2023-12-27

DEFAULT SEVERITY LEVEL: HIGH

Microsoft RDPEUDP is an extension to allow UDP transport for Microsoft Remote Desktop Protocol service (RDP), which by default uses TCP port 3389.

Exposed RDPEUDP services can be used as reflectors in DDoS amplification attacks. The response to the initial request packet is amplified ~28 times, with the protocol sending that response 3 times. As of January 2021, this service has been found to be abused in ongoing network attacks.

The scan was first announced in a January 25th 2021 blog entry here.

You can track latest MS RDPEUDP exposure on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename(s): scan_rdpeudp

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the RDP response came on (always UDP)
  • port
    Port that the RDP response came from (usually 3389)
  • hostname
    Reverse DNS name of the device in question (if available)
  • tag
    always set to rdpeudp
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sessionid
    The 4 byte session id that is included in the transaction
  • response_size
    Response size in bytes
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
  • sector
    Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sessionid","response_size","amplification","sector"
"2010-02-10 00:00:00",high,192.168.0.1,udp,3389,node01.example.com,rdpeudp,64512,ZZ,Region,City,0,,05588963,1232,77.00,
"2010-02-10 00:00:01",high,192.168.0.2,udp,3389,node02.example.com,rdpeudp,64512,ZZ,Region,City,0,,055b45ce,1232,77.00,"Communications, Service Provider, and Hosting Service"
"2010-02-10 00:00:02",high,192.168.0.3,udp,3389,node03.example.com,rdpeudp,64512,ZZ,Region,City,0,,05a86c52,1232,77.00,

Our 135 Report Types

« Back to Network Reporting