0

On an RDP server, the "Resource Monitor" system app shows network connectivity by process in the "Overview" tab under "Network" section. In this section, I see an SvcHost process on TCP port 3389 for each active and authenticating RDP connection, including connections that fail authentication.

When I test a dictionary attack or DDoS on port 3389 to my test server, I see all of my connections popping in and out of Resource Monitor, so it looks like this would be a good way to log incoming RDP requests, and start collecting data on botnet sources. (I also collect Audit Event Logs from TerminalServer and Security Event Logs - see my other post here - Digging into DDos Attacks...)

I'm curious if and how the RemoteIP associated with the SvcHost process can be spoofed. Is there a way to detect if these IPs are spoofed? Can an RDP connection be established via a spoofed IP?

How reliable is the remote IP in Resource Monitor?

turkinator
  • 603
  • 1
  • 7
  • 13

1 Answers1

1

how the RemoteIP associated with the SvcHost process can be spoofed

In TCP, you can't really spoof an IP address and use the connection. The TCP handshake requires a three way handshake where packets are exchanged between the two endpoints. If you have spoofed the remote IP address (i.e., written a fake or incorrect IP into the IP header) the handshake will fail. So, the bad actor client sends your servers spoofed packets (inbound SYN) your server replies with a SYN_ACK, but sends the SYN_ACK to some random place. If it arrives, the machine that receives it will wonder WTF this is doing randomly showing up there, and just discard it.

Spoofed IPs are useful for DDoS attacks (to hide the source), amplification (to bombard a target), etc...

But they are not useful if you're trying to get a connection and hide where you are.

Is there a way to detect if these IPs are spoofed?

Not really. The only time I have seen that it was easy to detect spoofed IP requests (or what I surmise are spoofed IP requests) are looking at a firewall where there is a burst of inbound SYN packets, which get a SYN_ACK sent out, but an ACK is never recieved).

Can an RDP connection be established via a spoofed IP?

Depends on your definition of spoofed IP. If you mean an IP address that is not associated with the attacker, then no.

If you mean an IP address that conceals an attacker, then yes. They can MiTM themselves, use VPNs, proxies, and a number of other technologies to obfuscate their actual IP addresses.

P.S. - One other thing that you need to be aware of in terms of "can a spoofed IP establish a connection" ... RDP uses crypto to secure the connection. This involves the exchange of keys in order to encrypt the data, which is another handshake that has to work. So, our TCP /IP setup requires a handshake. Key exchange for the crypto requires a handshake. You can't do all that with fake IPs. It has to be an actual machine that is ready, willing, and waiting to fulfill it's half of all the requests.

How reliable is the remote IP in Resource Monitor?

It's reading the IP address from the IP header of the traffic. So, it's as reliable as that header is.

DrDamnit
  • 854
  • 4
  • 12
  • Excellent explanation, which lead me to this link http://tcpipguide.com/free/t_TCPOperationalOverviewandtheTCPFiniteStateMachineF-2.htm, and helps me better understand at which points in the TCP connection states I can assume good and bad IPs. +1 – turkinator Aug 10 '17 at 20:54