There are a lot of
prl_tools.exe processes (~1000) hanging in the Virtual Machine, using large amount of RAM. You can see them using "RAMMAP" utility, they won't be seen via Task manager.
In Event Viewer you can see a lot of events like the one below:
Log Name: System Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager Date: 9/30/2013 5:21:21 AM Event ID: 1012 Task Category: None Level: Information Keywords: Classic User: N/A Computer: host Description: Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
An instance of
prl_tools process is started on each launch on
winlogon inside of Virtual Machine. Thus, on each login attempt a new
prl_tools instance will be started. Normally it is closed when this RDP session is closed, however when Virtual Machine is under DDoS attack the process
prl_tools might not be able to exit gracefully, and thus it might be unable to free handles and thus causing high memory usage in this VM.
Parallels Tools behavior under DDoS should be improved in scope of a request PSBM-23129.
This Parallels Tools behavior will be improved in one of the future releases. Meanwhile please secure your host from DDoS attacks, there are few options to do it:
- Configure firewall rules for RDP port (the default port number is 3389) and allow connection only from Trusted Hosts.
- Change RDP port from default 3389 to custom one, known only to owner of Virtual Machine, follow this MS article: How to change the listening port for Remote Desktop.
- Enable Network-Layer Authentication as described in this MS article: Configure Network Level Authentication. That would allow you to survive load caused by attacks as with enabled NLA Windows doesn't spawn
prl_toolsprocesses on each login attempt - the processes are started after passing the authorization only.