Portmapper is Preying on Misconfigured Servers to Amplify Attacks


In the constantly evolving threat landscape attackers are always finding new ways to target their victims. In the last few years we have seen a steady growth in Distributed Reflective Denial of Service attacks, DrDoS.  These attacks rely on misconfigured public servers and these public servers can provide an attacker with the amplification in bandwidth needed to take down their targeted site.

More recently, attackers have been exploring different UDP protocols to generate large volumetric attacks in a different way.  And just last month, the Radware Emergency Response Team (ERT) saw the rise of a new UDP based reflection attack utilizing the RPC Portmapper service.

Portmapper, also known as portmap and RPCbind, can be used to generate a 7-28 times amplification in bandwidth.  Portmapper runs on TCP or UDP port 111 and it is a service that is used to direct clients to the proper port number so they can communicate with the requested RPC service. Attackers are using the UDP protocol to launch these volumetric attacks because UDP is a connection-less protocol that does not validate the source IP address.  This allows attackers to send packets with a spoofed IP address resulting in the bandwidth amplification. In the event of a reflection attack, the packet sent back to the spoofed IP address is many times larger than the size of the original packet. This amplification can quickly overwhelm the targeted system.

A way to measure the amplification is to use the Bandwidth Amplification Factor (BAF). The BAF is a measurement that compares the bytes of the payload sent versus the payload received. This comparison determines the size of the amplification. The RPC portmap attack does not provide the same amplification that CharGEN or NTP does but it highlights a growing trend in leveraging misconfigured servers for amplification.

DrDoS attacks are hard to filter due to the fact that the requests are coming from legitimate services. Radware mitigates SSDP, NTP and DNS attacks daily with much larger amplification rates then what we see with this new RPC reflection attack.  In the case of the RPC reflection attack there is nothing to patch. Network operators can watch for anomalous activity and run network ingress filters. It is also recommended that you disable RPC services if not in use. If the service is required, filter the TCP/UDP ports of the RPC service by using a firewall and limiting external access.

Access control lists (ACLs) should be used as the most reliable and efficient solution for protecting the most important assets in your organization. ACLs can analyze the patterns and create signatures based on the attack insuring that legitimate users are not blocked.  A properly tuned behavior-based Denial of Service protection, BDOS, system with the correct footprint strictness will identify the anomaly and create a signature for the attack automatically.

This is just the beginning due to many other UDP services that have not been explored for the possibility of amplification. UDP amplification attacks are not going away any time soon due to the lack of complexity required to perform these attack.

To Learn More About Other Points of Failure in DDoS Attacks, Download the 2015 Global Application & Network Security Report by the Radware ERT

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center