There has been a lot of RDP brute-force/DDOS attacks these last 3 or 4 weeks, much more than usual and this is a problem.

While the attacker can’t log on, too many incoming RDP connections on a VPS can freeze the remote desktop service, which means the legit user can’t log on either. These attacks are not sophisticated (at some point the attacker blocks itself as he’s sending too many requests, which freezes the RDP service, so he can’t send more requests…).

The VPS are “unmanaged”, which means it’s the end user job to secure its RDP access, but all of them do not all have the required IT security skills and knowledge to do this. It sounds better for us to deal with this.

So the solution we’ve put in place is adding an external firewall between the VPS and its private network:

– this firewall blocks incoming connection from attackers countries (Russia, Ukraine, China, …) and allow incoming connections from what we consider “safe countries” (USA, Canada, Western Europe, Australia, New-Zealand, …)

– still, attacks can still come from these “safe countries”: we’re able to detect suspicious incoming connections and block the specific networks they are coming from (a good example is a Dutch network which keeps sending brute-force RDP attacks)

– the VPS firewall still useful and has to stay active, as a second security layer and as it’s required by the security tool we install  by default (which blocks an IP address from someone trying to log on multiple times with the wrong credentials). This Windows firewall is not efficient against the recent brute-force attacks, which is more a kind of DDOS, as the attacker never reach the point where it enters credentials

Consequences for the end-user:

– no restart of the machine required, all is done online. There is a few seconds network disconnection as the VPS will get a new default router, but that’s all

– the IP address changed: if your DNS resolver is fast enough it will then be 100% transparent. If not the end user can simply do a “ipconfig /flushdns” on his Windows laptop/desktop to be able to reach his machine with its usual name again

– as the IP address changed a software like TradeStation may ask to register this new IP again

– if the end-user is travelling in a country which is blocked, we can then allow a specific country to access a specific VPS, or we can let the user to use our VPN servers (which was in USA and Europe)

All these changes have been done:

– if a user was blocked, we put his machine behind these firewalls in real time (well, in few minutes 😉 ) 

– the other machines during a Saturday

While we’re reluctant to complexify any infrastructure (more parts in an engine -> more failure risks), the changes were done slowly and carefully and no negative impacts was found.