Portmapper is Preying on Misconfigured Servers to Amplify Attacks

7
15

In the constantly evolving threat landscape attackers are always finding new ways to target their victims. In the last few years we have seen a steady growth in Distributed Reflective Denial of Service attacks, DrDoS.  These attacks rely on misconfigured public servers and these public servers can provide an attacker with the amplification in bandwidth needed to take down their targeted site.

More recently, attackers have been exploring different UDP protocols to generate large volumetric attacks in a different way.  And just last month, the Radware Emergency Response Team (ERT) saw the rise of a new UDP based reflection attack utilizing the RPC Portmapper service.

Portmapper, also known as portmap and RPCbind, can be used to generate a 7-28 times amplification in bandwidth.  Portmapper runs on TCP or UDP port 111 and it is a service that is used to direct clients to the proper port number so they can communicate with the requested RPC service. Attackers are using the UDP protocol to launch these volumetric attacks because UDP is a connection-less protocol that does not validate the source IP address.  This allows attackers to send packets with a spoofed IP address resulting in the bandwidth amplification. In the event of a reflection attack, the packet sent back to the spoofed IP address is many times larger than the size of the original packet. This amplification can quickly overwhelm the targeted system.

A way to measure the amplification is to use the Bandwidth Amplification Factor (BAF). The BAF is a measurement that compares the bytes of the payload sent versus the payload received. This comparison determines the size of the amplification. The RPC portmap attack does not provide the same amplification that CharGEN or NTP does but it highlights a growing trend in leveraging misconfigured servers for amplification.

DrDoS attacks are hard to filter due to the fact that the requests are coming from legitimate services. Radware mitigates SSDP, NTP and DNS attacks daily with much larger amplification rates then what we see with this new RPC reflection attack.  In the case of the RPC reflection attack there is nothing to patch. Network operators can watch for anomalous activity and run network ingress filters. It is also recommended that you disable RPC services if not in use. If the service is required, filter the TCP/UDP ports of the RPC service by using a firewall and limiting external access.

Access control lists (ACLs) should be used as the most reliable and efficient solution for protecting the most important assets in your organization. ACLs can analyze the patterns and create signatures based on the attack insuring that legitimate users are not blocked.  A properly tuned behavior-based Denial of Service protection, BDOS, system with the correct footprint strictness will identify the anomaly and create a signature for the attack automatically.

This is just the beginning due to many other UDP services that have not been explored for the possibility of amplification. UDP amplification attacks are not going away any time soon due to the lack of complexity required to perform these attack.

To Learn More About Other Points of Failure in DDoS Attacks, Download the 2015 Global Application & Network Security Report by the Radware ERT

7 COMMENTS

  1. Is there any way of stopping an attack. I was filtering portmap using libwrap on my server, but the system changed to rpcbind, and the latest Linux version of rpcbind switches off tcpwrapper by default. Thus my system was open. I presume the attackers sent a few text packets to see if the system was useful for amplification, but of course thereafter, nothing comes back to them to show it is no longer working. While I feel virtuous that I am decreasing the amplification factor (every packet sent to my system now does not send anything back to the spoofed address, making those packets useless for the attacker) but I would like them to stop altogether. Unfortunately udp has no “origin” information. Is there any way of finding out where they originate?

  2. Thanks for your personal marvelous posting! I definitely enjoyed reading it,
    you’re a great author.I will make certain to bookmark your blog and will eventually come back later on. I want to encourage that you continue your great work,
    have a nice day!

LEAVE A REPLY

Please enter your comment!
Please enter your name here