Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reflection DDoS Attacks Abusing RPC Portmapper

Posted by samzenpus on from the protect-ya-neck dept.

msm1267 writes: Attackers have figured out how to use Portmapper, or RPC Portmapper, in reflection attacks where victims are sent copious amounts of responses from Portmapper servers, saturating bandwidth and keeping websites and web-based services unreachable. Telecommunications and Internet service provider Level 3 Communications of Colorado spotted anomalous traffic on its backbone starting in mid-June almost as beta runs of attacks that were carried out Aug. 10-12 against a handful of targets in the gaming and web hosting industries. There are 1.1 million Portmapper servers accessible online, and those open servers can be abused to similar effect as NTP servers were two years ago in amplification attacks.

9 of 34 comments (clear)

  1. Who the FUCK leaves RPC open to the internet! by Anonymous Coward · · Score: 3, Insightful

    See subject.

    1. Re:Who the FUCK leaves RPC open to the internet! by Etherwalk · · Score: 2

      Actually, this is ONC RPC, originally developed by Sun, not DCE RPC, originally developed by Apollo, adopted by the OSF, and then adopted by Microsoft, but I guess there are Windows boxes offering NFS or some other ONC RPC-based service (or providing clients for those services and, for some unknown reason, running the portmapper even if they're not offering any such services, but I digress).

      Gesundheit.

    2. Re:Who the FUCK leaves RPC open to the internet! by drinkypoo · · Score: 2

      debian linux

      My firewall runs Debian, and I'm not seeing any crazy outgoinNO CARRIER

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  2. It was a dark and stormy night by fustakrakich · · Score: 2

    During that fateful September twenty five years ago. Oh, how I howl at the moon for the politeness and professionalism of CompuServe!

    --
    “He’s not deformed, he’s just drunk!”
  3. You call that secure by Etherwalk · · Score: 2, Funny

    Who the FUCK leaves RPC open to the internet!

    You think you're secure. I only allow internet traffic once every seven minutes for six sec...NO CARRIER

  4. Re:Filtering by dgatwood · · Score: 3, Informative

    In case you're not joking, the problem is that by the time it reaches the customer premises equipment (your router), it has already wasted bandwidth on the slowest link (the one between the home/business and the ISP). So if you are the target, the damage is already done before you can filter it. That's why amplification attacks have to be prevented by blocking the ports of the systems participating in the amplification, rather than by blocking ports at the victim's site.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  5. Should not be exposed to the Internet by ledow · · Score: 2

    If you're exposing any ports to the Internet that are not absolutely necessary for the general unknown public to communicate with you, you're an idiot.

    Web ports? Yes, if necessary.
    Email ports? Yes, if necessary.
    VPN ports? Yes, if necessary.

    Anything else just SHOULDN'T be. And certainly never anything along the lines of RPC, CIFS, etc.

    1. Re:Should not be exposed to the Internet by BlackHawk-666 · · Score: 2

      Ye be wanting to use a cat9 cable for that me laddie.

      --
      All those moments will be lost in time, like tears in rain.
  6. Egress filtering by laughingskeptic · · Score: 2

    This attack requires spoofed IPs, yet I don't see Level3 committing to egress filtering or even mentioning egress filtering as a mitigation for this sort of attack. Why do ISPs allow bad packets to leave their network?