Flow-based detection of RDP brute-force attacks

The Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a remote access to a computer over a network connection. Recently, we have seen an increase in attacks on Microsoft Windows remote desktop connection authentication. Current detection methods are based on event log analysis or the Account Lockout Policy used in Windows domain networks. However, the methods are applicable only in environment where the devices are under control of the network administrator. We propose attacks detection method based on the network-based approach which provides host independency and highly scalability. The network flow data provides sufficient information about communication of two nodes in network, even though the communication is encrypted. Currently we are able to determine whether a detected IP flow is ordinary remote desktop session or single authentication with a small ratio of false-positive detection. An analysis was based on the network flow data collected in the Masaryk University network and host-based data from logs of a server with opened Remote Desktop Connection. These data helped us to improve the flow detection using the information gathered from the server event log. Despite the fact that RDP is encrypted, flow data gives us a sufficient amount of information to determine whether the connection is an authentication or regular remote desktop session. We implemented the attacks detection as a plugin for the widely used NfSen collector. The plugin is involved in the active defense of the network of Masaryk University. In two months, the plugin detected nearly two million of authentication attempts and reported 3,430 RDP authentication attacks. Despite the fact that attackers IP address was blocked for two days, many of them continued or repeated the attack after the block had been lifted. An analysis of the frequency with which the attackers returned, suggests the suitable duration of settings of blocking of attackers.