main

Attack Types & VectorsSecurity

Portmapper is Preying on Misconfigured Servers to Amplify Attacks

September 24, 2015 — by Daniel Smith7

In the constantly evolving threat landscape attackers are always finding new ways to target their victims. In the last few years we have seen a steady growth in Distributed Reflective Denial of Service attacks, DrDoS.  These attacks rely on misconfigured public servers and these public servers can provide an attacker with the amplification in bandwidth needed to take down their targeted site.

More recently, attackers have been exploring different UDP protocols to generate large volumetric attacks in a different way.  And just last month, the Radware Emergency Response Team (ERT) saw the rise of a new UDP based reflection attack utilizing the RPC Portmapper service.

Portmapper, also known as portmap and RPCbind, can be used to generate a 7-28 times amplification in bandwidth.  Portmapper runs on TCP or UDP port 111 and it is a service that is used to direct clients to the proper port number so they can communicate with the requested RPC service. Attackers are using the UDP protocol to launch these volumetric attacks because UDP is a connection-less protocol that does not validate the source IP address.  This allows attackers to send packets with a spoofed IP address resulting in the bandwidth amplification. In the event of a reflection attack, the packet sent back to the spoofed IP address is many times larger than the size of the original packet. This amplification can quickly overwhelm the targeted system.

A way to measure the amplification is to use the Bandwidth Amplification Factor (BAF). The BAF is a measurement that compares the bytes of the payload sent versus the payload received. This comparison determines the size of the amplification. The RPC portmap attack does not provide the same amplification that CharGEN or NTP does but it highlights a growing trend in leveraging misconfigured servers for amplification.

DrDoS attacks are hard to filter due to the fact that the requests are coming from legitimate services. Radware mitigates SSDP, NTP and DNS attacks daily with much larger amplification rates then what we see with this new RPC reflection attack.  In the case of the RPC reflection attack there is nothing to patch. Network operators can watch for anomalous activity and run network ingress filters. It is also recommended that you disable RPC services if not in use. If the service is required, filter the TCP/UDP ports of the RPC service by using a firewall and limiting external access.

Access control lists (ACLs) should be used as the most reliable and efficient solution for protecting the most important assets in your organization. ACLs can analyze the patterns and create signatures based on the attack insuring that legitimate users are not blocked.  A properly tuned behavior-based Denial of Service protection, BDOS, system with the correct footprint strictness will identify the anomaly and create a signature for the attack automatically.

This is just the beginning due to many other UDP services that have not been explored for the possibility of amplification. UDP amplification attacks are not going away any time soon due to the lack of complexity required to perform these attack.

To Learn More About Other Points of Failure in DDoS Attacks, Download the 2015 Global Application & Network Security Report by the Radware ERT

Daniel Smith

Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.

7 comments

  • Snir Karat

    October 1, 2015 at 8:16 am

    Very interesting

    Reply

  • unruh

    October 2, 2015 at 7:19 pm

    Is there any way of stopping an attack. I was filtering portmap using libwrap on my server, but the system changed to rpcbind, and the latest Linux version of rpcbind switches off tcpwrapper by default. Thus my system was open. I presume the attackers sent a few text packets to see if the system was useful for amplification, but of course thereafter, nothing comes back to them to show it is no longer working. While I feel virtuous that I am decreasing the amplification factor (every packet sent to my system now does not send anything back to the spoofed address, making those packets useless for the attacker) but I would like them to stop altogether. Unfortunately udp has no “origin” information. Is there any way of finding out where they originate?

    Reply

  • hier

    December 23, 2015 at 9:56 pm

    Excellent web site you’ve got here.. It’s difficult to find quality writing like yours these days.
    I really appreciate people like you! Take care!!

    Reply

  • February 2016 Blank Calendar

    February 2, 2016 at 5:57 am

    If you are going for finest contents like myself, only
    pay a visit this website all the time since it gives feature contents,
    thanks

    Reply

  • March 2016 Printable Calendar

    February 9, 2016 at 7:46 am

    Thanks for your personal marvelous posting! I definitely enjoyed reading it,
    you’re a great author.I will make certain to bookmark your blog and will eventually come back later on. I want to encourage that you continue your great work,
    have a nice day!

    Reply

  • download

    April 15, 2016 at 7:35 am

    Hello, the whole thing is going sound here and ofcourse every one is sharing facts, that’s really fine, keep
    up writing.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *