Reflection DDoS Attacks Abusing RPC Portmapper

msm1267 writes: Attackers have figured out how to use Portmapper, or RPC Portmapper, in reflection attacks where victims are sent copious amounts of responses from Portmapper servers, saturating bandwidth and keeping websites and web-based services unreachable. Telecommunications and Internet service provider Level 3 Communications of Colorado spotted anomalous traffic on its backbone starting in mid-June almost as beta runs of attacks that were carried out Aug. 10-12 against a handful of targets in the gaming and web hosting industries. There are 1.1 million Portmapper servers accessible online, and those open servers can be abused to similar effect as NTP servers were two years ago in amplification attacks.

Re:Filtering

[dgatwood]

In case you're not joking, the problem is that by the time it reaches the customer premises equipment (your router), it has already wasted bandwidth on the slowest link (the one between the home/business and the ISP). So if you are the target, the damage is already done before you can filter it. That's why amplification attacks have to be prevented by blocking the ports of the systems participating in the amplification, rather than by blocking ports at the victim's site.