Reflection DDoS Attacks Abusing RPC Portmapper

msm1267 writes: Attackers have figured out how to use Portmapper, or RPC Portmapper, in reflection attacks where victims are sent copious amounts of responses from Portmapper servers, saturating bandwidth and keeping websites and web-based services unreachable. Telecommunications and Internet service provider Level 3 Communications of Colorado spotted anomalous traffic on its backbone starting in mid-June almost as beta runs of attacks that were carried out Aug. 10-12 against a handful of targets in the gaming and web hosting industries. There are 1.1 million Portmapper servers accessible online, and those open servers can be abused to similar effect as NTP servers were two years ago in amplification attacks.

Who the FUCK leaves RPC open to the internet!

[Anonymous Coward]

See subject.

Re:

[Guy Harris]

Retarded windows admins.

Actually, this is ONC RPC, originally developed by Sun, not DCE RPC, originally developed by Apollo, adopted by the OSF, and then adopted by Microsoft, but I guess there are Windows boxes offering NFS or some other ONC RPC-based service (or providing clients for those services and, for some unknown reason, running the portmapper even if they're not offering any such services, but I digress).

Re:

[Etherwalk]

Actually, this is ONC RPC, originally developed by Sun, not DCE RPC, originally developed by Apollo, adopted by the OSF, and then adopted by Microsoft, but I guess there are Windows boxes offering NFS or some other ONC RPC-based service (or providing clients for those services and, for some unknown reason, running the portmapper even if they're not offering any such services, but I digress).

Gesundheit.

Re:

[Anonymous Coward]

Lol. Firewall. You really are stretching the imagination there with a world where everyone who faces a machine to the Internet really has the know-how to do it properly.

You kill me.

You call that secure

[Etherwalk]

Who the FUCK leaves RPC open to the internet!

You think you're secure. I only allow internet traffic once every seven minutes for six sec...NO CARRIER

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Coren22]

TCP Port 110 or 143, but preferably 995 993. TCP Port 465 if you want any kind of email security. Though it is quite easy to read documentation and get all the ports that are needed internally and externally:

https://support.prolateral.com... [prolateral.com]

If it was Exchange RPC, I would say that the admins are morons, but I don't know anything about NIS RPC being used by these Unix systems.

Re:

[Anonymous Coward]

debian linux

Re:

[drinkypoo]

debian linux

My firewall runs Debian, and I'm not seeing any crazy outgoinNO CARRIER

It was a dark and stormy night

[fustakrakich]

During that fateful September twenty five years ago. Oh, how I howl at the moon for the politeness and professionalism of CompuServe!

Filtering

[manu0601]

But that amplified traffic will always come from port 111, right? Seems easy to filter.

Re:Filtering

[dgatwood]

In case you're not joking, the problem is that by the time it reaches the customer premises equipment (your router), it has already wasted bandwidth on the slowest link (the one between the home/business and the ISP). So if you are the target, the damage is already done before you can filter it. That's why amplification attacks have to be prevented by blocking the ports of the systems participating in the amplification, rather than by blocking ports at the victim's site.

Re:

[kylemonger]

Or by ISP's dropping packets claiming to come from a netblock the ISP does not route. That would end all this spoofing attacks once and for all and would involve fixing many fewer machines.

Re:

[Zocalo]

This approach (it's officially known as BCP 38 [bcp38.info]) is meant to be applied at the *edge* of the network, where it will do the most good - in other words at the first capable hop from the CPE or co-lo server, which is usually the modem bank, DSLAM or some other form of edge switch/router so the filtering load can be split across more hardware devices and the subnets involved are far simpler to understand. Aside from a few issues with dual-homed hosts with their own AS implementation at that stage is generally t

Re:

[dgatwood]

Yes, though it might also break things for larger customers who have more than one ISP, whose IP ranges should at least ostensibly be advertised as routable through both networks. Mind you, that's a fairly small percentage of users out there, so yes, the default policy for such traffic should almost certainly be "drop".

Of course, you could do the port blocking at the ISP level and be done with it. IMO, an ISP should port filter everything into the ground by default; a customer should have to explicitly r

Re:

[KingMotley]

No. My ISP should be a big dumb pipe until I say otherwise. It shouldn't be touching my traffic, ever.

Re:

[dgatwood]

Your traffic, yes. The average user's traffic, no. The average computer user has Windows file sharing turned on for the root volume, with the relevant ports wide open to the outside world, and with an empty admin password.

Unfortunately, the vast majority of people are simply not equipped to protect their own networks, and need their ISPs to do it for them. As long as that is the case, network connections that allow unfiltered inbound traffic should be by request, not by default. If you know enough to a

Re:

[Bengie]

Even easier than that. Modern edge network devices(Modems, ONTs, etc) for residential broadband to be limited to their assigned IPs from the DHCP server. They already have DHCP server reflection going on, all the modem does is monitor the DHCP traffic and update an Internal list.

The only annoyance I am aware of is if they need to restart their internal network, your DHCP lease may be invalidated and suddenly you no longer have Internet access until you clear your lease and negotiate a new one. It has happ

Should not be exposed to the Internet

[ledow]

If you're exposing any ports to the Internet that are not absolutely necessary for the general unknown public to communicate with you, you're an idiot.

Web ports? Yes, if necessary.
Email ports? Yes, if necessary.
VPN ports? Yes, if necessary.

Anything else just SHOULDN'T be. And certainly never anything along the lines of RPC, CIFS, etc.

Re:

[BlackHawk-666]

Ye be wanting to use a cat9 cable for that me laddie.

Egress filtering

[laughingskeptic]

This attack requires spoofed IPs, yet I don't see Level3 committing to egress filtering or even mentioning egress filtering as a mitigation for this sort of attack. Why do ISPs allow bad packets to leave their network?

Re:

[Cramer]

.. or ENTER their network. You should ALWAYS inspect and filter what your idiot customers send you.

Re:

[Bengie]

Level 3 is a transit provider. Source IPs from other networks leaving their network is the norm.