RDPDICT - RDP Attack

Method description

This method is used for the detection of attempts to guess a username or a password to the Remote Desktop service (TCP/3389). The method builds a persistent tree of attackers and victims. If a limit of attacker/victim pairs is exceeded (20 attempts from a single IP address or value of the AttackAttempts option), an event is reported. The data in the tree is stored for the period defined by the TimeWindow parameter. This method can also be used to detect a distributed attack. There must be at least as many attempts by a single attacker on a single victim, as what is defined by the multiplication of the PartOfAttack and AttackAttempts parameters. The detection can be improved by specifying the minimum number of targets of the attack using the MinTargets parameter. If needed, it is possible to set the list of unusual ports on which the RDP service is provided beside the standard TCP/3389 (the ObscurePorts parameter). If the source of flow data correctly fills TCP flags (which Flowmon probes provide by default), it is possible to use the parameter AnalyzeTCPFlags to make the outputs of the detection method more accurate.

With this method, it is possible to promptly detect the ongoing attack and block the attacker before he can guess the password. If there is a greater delay between the attacker’s activities (more than 30 minutes or value of the AttackHole option), the attack from a single IP address may be interpreted as several separate attacks.

This method consists of the following submethod:

• General: Reports the password-guessing attacks (dictionary or brute-force based) on an RDP server.

Method configuration

It is recommended to apply this method to all IP addresses and monitor not only the attacks against your servers but also the attacks from your network to the Internet. The right place for traffic monitoring is the central switch and the Internet connection line.

Method parameters

• AttackAttempts: A minimum number of attempts to log in from one attacker on the RDP service to generate an event.

• AttackHole: Specifies a duration in seconds from the last login attempt to mark the attack as finished.

• MinTargets: A minimum number of targets of the attack to generate an event.

• ObscurePorts: Comma-separated list of port numbers (other than 3389), on which the RDP service is provided in the monitored network.

• PartOfAttack: Specifies a fraction of the AttackAttempts value required to generate an event when a previously reported attack target is attacked by a different attacker.

• TimeWindow: Specifies the time period for which the login attempt statistics are stored for each victim (until the attack is detected).

• MaxBPP: The maximum value of bytes per packet in a flow to consider the flow to be an authentication attempt. If the value of this parameter is set to zero, this metric is not used during the detection.

• MaxPackets: The maximum number of packets in a flow to consider this flow to be an authentication attempt. If the value of this parameter is set to zero, this metric is not used during the detection.

• MaxDuration: The maximum duration of a flow in seconds to consider this flow to be an authentication attempt. If the value of this parameter is set to zero, this metric is not used during the detection.

• AnalyzeTCPFlags: Activates inspection of TCP flags in flow data which makes the detection algorithm more accurate.

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed.

Interpretation of results

The results of this method are relatively straightforward, the method detects a dictionary attack on the RDP service. This may indicate an attacker's activity to get unauthorized access to a service or a misconfigured device that is continuously trying to authenticate to a service unsuccessfully.