Hackers exploiting wide-open Portmap to amp up DDoS attacks
Careless net adminds leave systems with cleartext trousers down
Security watchers have warned about a new class of DDoS amplification attack threat which only exists because too many users are failing to follow basic safeguards.
Improperly configured services such as DNS or Network Time Protocol (NTP) have been exploited to launch a string of DDoS attacks over the last couple of years, the most high-profile of which battered Spamhaus and buffeted internet exchanges back in March 2013. Over recent weeks, another service – Portmap – has become a vector of DDos attacks, US-based carrier Level 3 warned.
Attacks using the technique and monitored by Level 3 last week focused on gaming, hosting and internet infrastructure verticals.
Unlike DNS and NTP, Portmap has no business being exposed on internet-facing systems. Disabling or blocking internet-facing Portmap services using firewalls is trivial, but too many net admins have overlooked this well-understood practice, creating a resource which hackers can abuse.
Tod Beardsley, security engineering manager at Rapid7, the firm behind Metasploit, commented: "Portmap (port 111/UDP) used to be a common service on many UNIX-like distributions, including Linux and Solaris. To hear that it's part of a 'new DDoS' attack is very disorienting, as Portmap attacks are by no means new."
Portmap can still be useful in private, internal networks, but the technology is cleartext and essentially unauthenticated. So it's really not the sort of thing you'd want to expose on the web even before considering the technology's history of security vulnerabilities.
Global Portmap traffic grew by a factor of 22 when comparing the last seven days of June with the seven days ending August 12. This is still very small compared to other UDP services, but the big growth in traffic points to the service becoming a fashionable avenue for attacks.
Hosts that support Portmap in internet-facing connections are at risk of becoming unwitting accomplices in DDoS reflection/amplification attacks.
Other services which have no business getting exposed on internet-facing systems, such as Simple Service Discovery Protocol (SSDP), have recently been exploited in DDoS amplification attacks. Insecure Portmap installs represent exactly the same sort of UDP-based amplification attack risk.
Ashley Stephenson, chief exec at DDoS mitigation firm Corero Network Security, explained: “The RPCbind or Portmap service is reported to have a DDoS attack amplification factor of approximately 7x to 27x. If RPCbind/Portmap service is queried, it can in some cases respond with a considerable amount of data that exceeds the the size of the query, hence the use of the term amplification."
"This is another classic example of a reflective/amplified DDoS attack using standard UDP accessible internet services," he added.
Stephenson warns that the security risk is unlikely to be resolved anytime soon – even though it's easy to fix.
"Disabling or blocking internet-facing RPCbind/Portmap services is a trivial task on any single system, but it is unlikely to occur anytime soon on the potentially millions of vulnerable systems accessible on the internet today," he added. ®