Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Hardware

Reflection DDoS Attacks Abusing RPC Portmapper 34

msm1267 writes: Attackers have figured out how to use Portmapper, or RPC Portmapper, in reflection attacks where victims are sent copious amounts of responses from Portmapper servers, saturating bandwidth and keeping websites and web-based services unreachable. Telecommunications and Internet service provider Level 3 Communications of Colorado spotted anomalous traffic on its backbone starting in mid-June almost as beta runs of attacks that were carried out Aug. 10-12 against a handful of targets in the gaming and web hosting industries. There are 1.1 million Portmapper servers accessible online, and those open servers can be abused to similar effect as NTP servers were two years ago in amplification attacks.
This discussion has been archived. No new comments can be posted.

Reflection DDoS Attacks Abusing RPC Portmapper

Comments Filter:
  • by Anonymous Coward on Wednesday August 19, 2015 @07:58PM (#50350925)

    See subject.

    • Who the FUCK leaves RPC open to the internet!

      You think you're secure. I only allow internet traffic once every seven minutes for six sec...NO CARRIER

    • Morons that put their Windows servers behind the DMZ. Otherwise you have to port-forward, and I can't imagine why it would be anything other than 80, 443, and maybe 3389 (RDP for terminal services) and 25 for Exchange.

      • TCP Port 110 or 143, but preferably 995 993. TCP Port 465 if you want any kind of email security. Though it is quite easy to read documentation and get all the ports that are needed internally and externally:

        https://support.prolateral.com... [prolateral.com]

        If it was Exchange RPC, I would say that the admins are morons, but I don't know anything about NIS RPC being used by these Unix systems.

    • by Anonymous Coward

      debian linux

  • During that fateful September twenty five years ago. Oh, how I howl at the moon for the politeness and professionalism of CompuServe!

  • But that amplified traffic will always come from port 111, right? Seems easy to filter.
    • Re:Filtering (Score:4, Informative)

      by dgatwood ( 11270 ) on Wednesday August 19, 2015 @09:15PM (#50351251) Homepage Journal
      In case you're not joking, the problem is that by the time it reaches the customer premises equipment (your router), it has already wasted bandwidth on the slowest link (the one between the home/business and the ISP). So if you are the target, the damage is already done before you can filter it. That's why amplification attacks have to be prevented by blocking the ports of the systems participating in the amplification, rather than by blocking ports at the victim's site.
      • Or by ISP's dropping packets claiming to come from a netblock the ISP does not route. That would end all this spoofing attacks once and for all and would involve fixing many fewer machines.
        • by dgatwood ( 11270 )

          Yes, though it might also break things for larger customers who have more than one ISP, whose IP ranges should at least ostensibly be advertised as routable through both networks. Mind you, that's a fairly small percentage of users out there, so yes, the default policy for such traffic should almost certainly be "drop".

          Of course, you could do the port blocking at the ISP level and be done with it. IMO, an ISP should port filter everything into the ground by default; a customer should have to explicitly r

          • No. My ISP should be a big dumb pipe until I say otherwise. It shouldn't be touching my traffic, ever.

            • by dgatwood ( 11270 )

              Your traffic, yes. The average user's traffic, no. The average computer user has Windows file sharing turned on for the root volume, with the relevant ports wide open to the outside world, and with an empty admin password.

              Unfortunately, the vast majority of people are simply not equipped to protect their own networks, and need their ISPs to do it for them. As long as that is the case, network connections that allow unfiltered inbound traffic should be by request, not by default. If you know enough to a

        • by Bengie ( 1121981 )
          Even easier than that. Modern edge network devices(Modems, ONTs, etc) for residential broadband to be limited to their assigned IPs from the DHCP server. They already have DHCP server reflection going on, all the modem does is monitor the DHCP traffic and update an Internal list.

          The only annoyance I am aware of is if they need to restart their internal network, your DHCP lease may be invalidated and suddenly you no longer have Internet access until you clear your lease and negotiate a new one. It has happ
  • by ledow ( 319597 ) on Wednesday August 19, 2015 @09:39PM (#50351333) Homepage

    If you're exposing any ports to the Internet that are not absolutely necessary for the general unknown public to communicate with you, you're an idiot.

    Web ports? Yes, if necessary.
    Email ports? Yes, if necessary.
    VPN ports? Yes, if necessary.

    Anything else just SHOULDN'T be. And certainly never anything along the lines of RPC, CIFS, etc.

  • by laughingskeptic ( 1004414 ) on Thursday August 20, 2015 @10:05AM (#50353615)
    This attack requires spoofed IPs, yet I don't see Level3 committing to egress filtering or even mentioning egress filtering as a mitigation for this sort of attack. Why do ISPs allow bad packets to leave their network?
    • by Cramer ( 69040 )

      .. or ENTER their network. You should ALWAYS inspect and filter what your idiot customers send you.

    • by Bengie ( 1121981 )
      Level 3 is a transit provider. Source IPs from other networks leaving their network is the norm.

Matter cannot be created or destroyed, nor can it be returned without a receipt.