Ask Your Question

Revision history [back]

  1. The packets shown are retransmissions of TCP connection attempts (the SYN flag is set) from external IPs and to the port 3389 on the local host.
  2. I'm assuming you're capturing on the host itself, different firewalls act at different points in the stack which may or may not be before the packet is captured by the capture library (usually npcap on Windows). Do you have any evidence that the firewall isn't doing it's job? Look at whatever firewall logs are available. A firewall may silently drop the incoming packet or send a TCP RST to close the connection, but there shouldn't be any TCP SYN+ACK response.
  3. Don't expose RDP to the internet. Require incoming connections to be via VPN.