This article originally appeared at The WHIR
Web hosts, gaming web hosts, and internet infrastructure providers are becoming unknowing participants in a new type of amplified Distributed-Denial-of-Service attack that has been used to amplify DDoS attacks to around 20 times their original size on average.
The DDoS vector that uses the Portmapper service to amplify DDoS traffic appeared last month, according to a blog post this week from security researchers at Level 3.
Portmapper (also known as rpcbind, portmap or RPC Portmapper) basically helps a client find the appropriate service on the server for a request. It is a mechanism that helps facilitate Remote Procedure Call services from the open internet.
Portmapper can run on both TCP or UDP port 111. In the case of attacks, attackers send a spoofed request via UDP to receive an amplified response. Level 3 tested this exploit by sending 68 byte queries, which resulted in responses ranging as small as 486 bytes to as large as 1930 bytes, providing an amplification factor of between 7 and 27 times.
Portmapper DDoS amplification works in a similar way to other known amplified (or reflective) DDoS attacks that use standard UDP accessible internet services. Some others include Chargen (which uses UDP port 19), Netbios (UDP port 139) and SSDP (UDP port 1900).
While Level 3 has been seeing the use of this Portmapper DDoS amplification vector increase since its appearance in late June.
“Clearly the success of using this method for attacks is growing aggressively,” Level 3 writes. “However, when Portmapper’s global traffic use is compared with the other popular UDP services, it is clear that the global volume of traffic is still small…. [I]t is a great time to begin filtering requests and removing reflection hosts from the internet before the attack popularity grows larger and causes more damage.”
Level 3 recommends server administrators review their publicly available internet services, and disable Portmapper along with NFS, NIS and all other RPC services across the open internet. Services that need to remain available should incorporate firewalls that blocks unauthorized IP addresses, or switching from UDP to TCP-only.
However, a host or infrastructure provider that locks down their own servers can’t account for servers run by other providers that have not secured themselves. Even if they’re not participants in amplified DDoS attacks, hosts can still be targets of DDoS attacks, and need to have the proper mitigation technologies in place.
“Disabling or blocking internet facing RPCbind/portmap services is a trivial task on any single system but it is unlikely to occur anytime soon on the potentially millions of vulnerable systems accessible on the internet today,” Ashley Stephenson, CEO of security firm Corero, said in a statement provided to The WHIR. “In the meantime, organizations, regardless of industry can protect themselves against RPCbind/portmap amplification with real-time DDoS defense mechanisms, designed to detect and defeat these types of attack before they can impact their networks, or their customers.”