UDP-based Portmap latest target for DDoS attackers looking to amplify attacks
US-based carrier and global backbone operator Level 3 has spotted a new vector being used for DDoS reflection attacks: Portmapper (or simply Portmap).
The Portmap service redirects the client to the proper port number so it can communicate with the requested Remote Procedure Call (RPC) service.
As several UDP-based services (DNS, NTP) before it, it’s being used by attackers to hide the origin of the attack and to amplify its volume.
“Portmapper can run on both TCP or UDP port 111, with UDP being required for the spoofed request to receive an amplified response”, Level 3 researchers explained.
That’s because UDP is a connection-less protocol that does not validate source IP addresses, and an attacker can easily forge a request to include a target’s IP address.
“Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request,” US-CERT warned earlier this year, and provided a list of UDP protocols have been identified as potential attack vectors for this type of attacks (Portmap has been added to the list today).
“When a client is looking to find the appropriate service, the Portmapper is queried to assist. This means, when it is queried, the response size varies wildly depending on which RPC services are operating on the host,” Level 3 researchers pointed out.
The amplification factor can vary, but according to their measurements, the average response size is over 18 times the size of the request.
“Global Portmap traffic grew by a factor of 22x when comparing the last 7 days of June with the 7 days, ending August 12,” they added. While it is less used than other UDP services, there is no doubt that attackers will continue misusing it until they are prevented.
All administrators and organizations are advised to see whether they should continue to keep Portmap available on Internet-facing systems, and to disable it if they don’t. At the same time, they should do the same evaluation for a number of RPC services on vulnerable hosts that are also available on UDP ports (NFS, NIS, etc.).
“In situations where the services must remain live, firewalling which IP addresses can reach said services and, subsequently, switching to TCP-only are mitigations to avoid becoming an unknowing participant in DDoS attacks in the future,” the researchers added.
A similar (and, as far as we know, still theoretical) attack has been revealed by a group of researchers only a few days ago: Distributed Reflective DoS (DRDoS) attacks can be mounted via BitTorrent clients, by taking advantage of the fact that BitTorrent is also a USB-based protocol.