Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reflection DDoS Attacks Abusing RPC Portmapper

Posted by samzenpus on from the protect-ya-neck dept.

msm1267 writes: Attackers have figured out how to use Portmapper, or RPC Portmapper, in reflection attacks where victims are sent copious amounts of responses from Portmapper servers, saturating bandwidth and keeping websites and web-based services unreachable. Telecommunications and Internet service provider Level 3 Communications of Colorado spotted anomalous traffic on its backbone starting in mid-June almost as beta runs of attacks that were carried out Aug. 10-12 against a handful of targets in the gaming and web hosting industries. There are 1.1 million Portmapper servers accessible online, and those open servers can be abused to similar effect as NTP servers were two years ago in amplification attacks.

34 comments

  1. Who the FUCK leaves RPC open to the internet! by Anonymous Coward · · Score: 3, Insightful

    See subject.

    1. Re:Who the FUCK leaves RPC open to the internet! by buckfeta2014 · · Score: 0, Flamebait

      Retarded windows admins.

      --
      Buck Feta. You know what to do.
    2. Re:Who the FUCK leaves RPC open to the internet! by Guy+Harris · · Score: 1

      Retarded windows admins.

      Actually, this is ONC RPC, originally developed by Sun, not DCE RPC, originally developed by Apollo, adopted by the OSF, and then adopted by Microsoft, but I guess there are Windows boxes offering NFS or some other ONC RPC-based service (or providing clients for those services and, for some unknown reason, running the portmapper even if they're not offering any such services, but I digress).

    3. Re:Who the FUCK leaves RPC open to the internet! by Anonymous Coward · · Score: 0

      There really is no reason to do this. Ever.

    4. Re:Who the FUCK leaves RPC open to the internet! by Anonymous Coward · · Score: 0

      That is what I was trying to figure out.

      Dont you usually firewall everything off except what you *really* want outside. RPC would not be at the top of my list to let out in the open... Be it the windows or unix ver...

    5. Re:Who the FUCK leaves RPC open to the internet! by Etherwalk · · Score: 2

      Actually, this is ONC RPC, originally developed by Sun, not DCE RPC, originally developed by Apollo, adopted by the OSF, and then adopted by Microsoft, but I guess there are Windows boxes offering NFS or some other ONC RPC-based service (or providing clients for those services and, for some unknown reason, running the portmapper even if they're not offering any such services, but I digress).

      Gesundheit.

    6. Re:Who the FUCK leaves RPC open to the internet! by Anonymous Coward · · Score: 0

      Retarded windows admins.

      read and learn
      http://www.tldp.org/HOWTO/NIS-HOWTO/portmapper.html

    7. Re:Who the FUCK leaves RPC open to the internet! by DigiShaman · · Score: 1

      Morons that put their Windows servers behind the DMZ. Otherwise you have to port-forward, and I can't imagine why it would be anything other than 80, 443, and maybe 3389 (RDP for terminal services) and 25 for Exchange.

      --
      Life is not for the lazy.
    8. Re:Who the FUCK leaves RPC open to the internet! by Anonymous Coward · · Score: 1

      debian linux

    9. Re:Who the FUCK leaves RPC open to the internet! by drinkypoo · · Score: 2

      debian linux

      My firewall runs Debian, and I'm not seeing any crazy outgoinNO CARRIER

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    10. Re:Who the FUCK leaves RPC open to the internet! by Coren22 · · Score: 1

      TCP Port 110 or 143, but preferably 995 993. TCP Port 465 if you want any kind of email security. Though it is quite easy to read documentation and get all the ports that are needed internally and externally:

      https://support.prolateral.com...

      If it was Exchange RPC, I would say that the admins are morons, but I don't know anything about NIS RPC being used by these Unix systems.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    11. Re:Who the FUCK leaves RPC open to the internet! by Anonymous Coward · · Score: 1

      Lol. Firewall. You really are stretching the imagination there with a world where everyone who faces a machine to the Internet really has the know-how to do it properly.

      You kill me.

  2. It was a dark and stormy night by fustakrakich · · Score: 2

    During that fateful September twenty five years ago. Oh, how I howl at the moon for the politeness and professionalism of CompuServe!

    --
    “He’s not deformed, he’s just drunk!”
  3. You call that secure by Etherwalk · · Score: 2, Funny

    Who the FUCK leaves RPC open to the internet!

    You think you're secure. I only allow internet traffic once every seven minutes for six sec...NO CARRIER

  4. Filtering by manu0601 · · Score: 1

    But that amplified traffic will always come from port 111, right? Seems easy to filter.

    1. Re:Filtering by dgatwood · · Score: 3, Informative

      In case you're not joking, the problem is that by the time it reaches the customer premises equipment (your router), it has already wasted bandwidth on the slowest link (the one between the home/business and the ISP). So if you are the target, the damage is already done before you can filter it. That's why amplification attacks have to be prevented by blocking the ports of the systems participating in the amplification, rather than by blocking ports at the victim's site.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Filtering by kylemonger · · Score: 1

      Or by ISP's dropping packets claiming to come from a netblock the ISP does not route. That would end all this spoofing attacks once and for all and would involve fixing many fewer machines.

    3. Re:Filtering by Anonymous Coward · · Score: 0

      that was suggested more than 10 years ago. its a simple fix, at least for less central ASs

      somehow people couldn't be motivated to care....i just dont understand this business

    4. Re:Filtering by dgatwood · · Score: 1

      Yes, though it might also break things for larger customers who have more than one ISP, whose IP ranges should at least ostensibly be advertised as routable through both networks. Mind you, that's a fairly small percentage of users out there, so yes, the default policy for such traffic should almost certainly be "drop".

      Of course, you could do the port blocking at the ISP level and be done with it. IMO, an ISP should port filter everything into the ground by default; a customer should have to explicitly request that his or her connection be fully open to incoming requests. Doing so would have basically the same effect as blocking based on source address, but you'd just have a short list of open incoming ports (22, 80, 443, and the ephemeral range, give or take) instead of a potentially long list of IP ranges.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    5. Re:Filtering by Zocalo · · Score: 1

      This approach (it's officially known as BCP 38) is meant to be applied at the *edge* of the network, where it will do the most good - in other words at the first capable hop from the CPE or co-lo server, which is usually the modem bank, DSLAM or some other form of edge switch/router so the filtering load can be split across more hardware devices and the subnets involved are far simpler to understand. Aside from a few issues with dual-homed hosts with their own AS implementation at that stage is generally trivial even on most home routers let alone ISP edge equipment, so there are not really all that many excuses for not doing so.

      If a customer facing ISP allows spoofed traffic to get to their core before filtering, let alone any where near somewhere doing BGP peering, then they will be dealing with aggregated traffic from multiple subnets making the task much harder and will have missed the chance to protect their own customers from attacking each other. In an ideal world where everyone does BCP 38 at the edge (which will never happen due to lack of clue, apathy, etc.), the transit and backbone parts of the Internet shouldn't even need to bother with BCP 38 since the traffic will already be clean of spoofed traffic before it gets onto that part of the network.

      --
      UNIX? They're not even circumcised! Savages!
    6. Re:Filtering by Anonymous Coward · · Score: 0

      Yep. So if you're with an IP that has metered downloads, the only thing you can do is try and change your ip.

    7. Re:Filtering by KingMotley · · Score: 1

      No. My ISP should be a big dumb pipe until I say otherwise. It shouldn't be touching my traffic, ever.

    8. Re: Filtering by Anonymous Coward · · Score: 0

      ^ this.

      It is our job to protect our networks, not the ISPs.

    9. Re:Filtering by dgatwood · · Score: 1

      Your traffic, yes. The average user's traffic, no. The average computer user has Windows file sharing turned on for the root volume, with the relevant ports wide open to the outside world, and with an empty admin password.

      Unfortunately, the vast majority of people are simply not equipped to protect their own networks, and need their ISPs to do it for them. As long as that is the case, network connections that allow unfiltered inbound traffic should be by request, not by default. If you know enough to ask, you probably know enough to set it up correctly, and if you don't, you probably aren't missing anything by being limited to the handful of end-user server-like apps that support NAT-PMP.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    10. Re:Filtering by Bengie · · Score: 1

      Even easier than that. Modern edge network devices(Modems, ONTs, etc) for residential broadband to be limited to their assigned IPs from the DHCP server. They already have DHCP server reflection going on, all the modem does is monitor the DHCP traffic and update an Internal list.

      The only annoyance I am aware of is if they need to restart their internal network, your DHCP lease may be invalidated and suddenly you no longer have Internet access until you clear your lease and negotiate a new one. It has happened to me a few times. The ISP could get around this by remote cycling the Ethernet port off then on, which most computers will renegotiate DHCP on physical link loss.

  5. What OS are these million boxes running? by Anonymous Coward · · Score: 0

    Are these all "old" Solaris boxes at universities?

    Are they Linux installs at people's homes?

    Are they ...??

    Or is it a collective mix?

  6. Should not be exposed to the Internet by ledow · · Score: 2

    If you're exposing any ports to the Internet that are not absolutely necessary for the general unknown public to communicate with you, you're an idiot.

    Web ports? Yes, if necessary.
    Email ports? Yes, if necessary.
    VPN ports? Yes, if necessary.

    Anything else just SHOULDN'T be. And certainly never anything along the lines of RPC, CIFS, etc.

    1. Re:Should not be exposed to the Internet by Anonymous Coward · · Score: 0

      I motion that people who can't lern2firewall be publicly whipped with a length of cat5.

    2. Re:Should not be exposed to the Internet by BlackHawk-666 · · Score: 2

      Ye be wanting to use a cat9 cable for that me laddie.

      --
      All those moments will be lost in time, like tears in rain.
  7. Egress filtering by laughingskeptic · · Score: 2

    This attack requires spoofed IPs, yet I don't see Level3 committing to egress filtering or even mentioning egress filtering as a mitigation for this sort of attack. Why do ISPs allow bad packets to leave their network?

    1. Re:Egress filtering by Cramer · · Score: 1

      .. or ENTER their network. You should ALWAYS inspect and filter what your idiot customers send you.

    2. Re:Egress filtering by Bengie · · Score: 1

      Level 3 is a transit provider. Source IPs from other networks leaving their network is the norm.