DDoS Attacks || Parallels Security Tips

DDoS Attacks

ddos attackThere is a possible risk that scammers can perform a distributed denial-of-service (DDoS) attack on your environment. The objective of a DDoS attack is to prevent legitimate users from accessing your farm and is a typical attack on server environments.

What is a DDoS Attack?

A common malicious attempt to disrupt traffic of a targeted server, service or network by flooding the target or its surrounding infrastructure with a mass of Internet traffic is called distributed denial-of-service (DDoS) attack. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up the highway, preventing regular traffic from arriving at its desired destination.

How to Detect If Your Parallels RAS Farm Is Under Attack

Typical scenario: Suddenly your users are not able to log in to the Parallels RAS farm. To troubleshoot this issues, please find the Controller.log (located on PA, path C:\ProgramData\Parallels\RASLogs) and check for messages like below:

[I 06/0000003E] Mon May 22 10:37:00 2018 – Native RDP LB Connection from Public IP x.x.x.x, Private IP xxx.xxx.xx.xx, on gateway xxx.xxx.xx.xx, Using Default Rule

[I 06/00000372] Mon May 22 10:37:00 2018 – CLIENT_IDLESERVER_REPLY UserName hello@DOMAIN, ClientName , AppName , PeerIP xxx.xxx.xx.xx, GatewayIP xxx.xx.x.xx, Server , Direct , desktop 0

[I 05/0000000E] Mon May 22 10:37:00 2018 – Maximum amount of sessions reached.

[I 06/00000034] Mon May 22 10:37:00 2018 – Resource LB User ‘hello’ No Servers Available!

[W 06/00000002] Mon May 22 10:37:00 2018 – Request for “” by User hello, Client, Address xxx.xxx.xx.xx, was not served error code 14.

In the example above, there is a DDoS attack in place on the RDP port.

Firewall and Intrusion Prevention System (IPS) protection

A firewall is a standalone device or software that is designed and configured to block undesired ports on your infrastructure. However, specific ports such as 80, 53, 25 and 443 are open by default because they are the connection points for desired service delivery traffic. The DDoS attacks target these ports and are translucent to firewalls.  Moreover, such attacks which are described as “volumetric flood attacks” exploit the firewall by filling it up with unwanted traffic, so it has less time to forward legitimate traffic.

An Intrusion Prevention Systems (IPS) is deployed deeper in the network, typically behind the firewall. It’s designed to prevent typical intrusions such as server exploits, code injections, cross-site scripting attempts, and more by performing deep packet inspection (DPI) to prevent these intrusions. If an IPS deals with the DDoS traffic in addition to the legitimate traffic, the IPS device will have trouble to keep up with inspecting high throughput levels, resulting in a bottleneck. IPS is designed to operate and allow only legitimate traffic, which is the reason it’s located behind the firewall.

Security Recommendations

To defend your servers from the Parallels RAS side, we strongly recommend restricting RDP access through the Parallels Secure Client Gateway port. Learn how.

However, please note that this kind of attack itself is not related to Parallels RAS and needs to be addressed by your security/infrastructure department.


References

Denial-of-service attack | Wikipedia

DDoS attack – Distributed Denial of Service | Webopedia

DDoS Definition | Incapsula

What is a DDoS attack | Cloudflare