Ask Your Question

RDP attacks

asked 2020-10-25 11:02:28 +0000

Deliaware gravatar image

updated 2020-10-25 12:39:32 +0000

grahamb gravatar image

Hi All

I'm new and a novice for the most part - so apologies but need a steer. I have windows servers and have changed the RDP port from the standard 3389 to a different port (the sample below is using 3389). I have disable 3389 on the windows Firewall and created a rule for the new port which has restricted access to my IP address under scope firewall rule. I run RDP Guard which bans IP's after failed RDP.I have tested a RDP log in form and authorised IP and watched it on Wireshark and could see the TLS1.2 handshake and connection in progress as I would have expected. So after all that I see some attempts to connect to my new port (changed in sample below to normal port) from a BAD IP

128868  2020-10-25 09:22:53.034068   TCP 66  [TCP Retransmission] 56259 → 3389 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

367363  2020-10-25 09:34:58.729097   TCP 62  [TCP Retransmission] 51067 → 3389 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

I have obfuscated my IP above and there has been no visible a reply from my side back to these IPs

So my questions are?

A. What does the wire shark string above actually mean?

B. I have the port restricted to just my own IP under firewall rule (scope) then should the foreign IP even be getting past the Firewall(FW) settings, I thought the FW would be blocking it before getting in and that I should not see it on Wireshark?

C. what else do you recommend to enforce my security ?

Thanks DW

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2020-10-25 12:49:09 +0000

grahamb gravatar image
  1. The packets shown are retransmissions of TCP connection attempts (the SYN flag is set) from external IPs and to the port 3389 on the local host.
  2. I'm assuming you're capturing on the host itself, different firewalls act at different points in the stack which may or may not be before the packet is captured by the capture library (usually npcap on Windows). Do you have any evidence that the firewall isn't doing it's job? Look at whatever firewall logs are available. A firewall may silently drop the incoming packet or send a TCP RST to close the connection, but there shouldn't be any TCP SYN+ACK response.
  3. Don't expose RDP to the internet. Require incoming connections to be via VPN.
edit flag offensive delete link more


  1. I think the firewall is working but get a bit paranoid when I see something odd especially from IP that are listed abuse IP's. Yes using NPCAP. The only reference I have is similar to what I posted above, there are several attempts from various IP's with exact same format. Its just Windows Firewall been used, do you think that Wireshark Npcap is capturing before the FW

Thanks for your reply and help

Deliaware gravatar imageDeliaware ( 2020-10-25 12:55:52 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-10-25 11:02:28 +0000

Seen: 589 times

Last updated: Oct 25 '20