MCNC Security Advisory 2015.001

RPC Portmapper Service Can Be Abused in DDoS Reflection Attacks

General Information

Executive Summary

In August 2015, details began to emerge about an increase in network traffic using the RPC Portmapper service. Research into this increase in traffic patterns indicates that attackers are starting to abuse systems with open RPC Portmapper services to direct large volumes of attack traffic at their intended targets.

This type of attack is known as a “reflection” attack because it allows the attacker to “bounce” the attack off of an intermediate server and cause that intermediate server to attack the intended victim. These types of attacks can often cause Denial of Service (DoS) conditions for both the target of the attack, as well as the operators of the systems running the RPC Portmapper service.

MCNC has observed an increase in RPC Portmapper traffic emanating from constituents on the NCREN network throughout the month of August 2015. Indications are that these constituents are hosting systems on their networks that expose the RPC Portmapper service to other systems on the Internet, and that attackers are reflecting DoS attack traffic off of these systems to target external victims. In order to help prevent these attacks, MCNC is releasing this security advisory to all constituents, providing information about the issue, as well as suggested actions that constituents can take to protect themselves from these attacks.

Advisory Details

Details of the Issue

The RPC Portmapper is a service that maps Remote Procedure Call (RPC) services running on a system, to the ports that those services are listening on for incoming connections. Think of it is a directory listing for available RPC services and their listening ports. As an example, if you need to find out what port the NFS service is listening on, you can connect to and query the Portmapper!

The well-known listening port for the RPC Portmapper service is port 111, and the service can run over both TCP and UDP.

A new attack technique has emerged that reflects and amplifies attacks by bouncing them off of systems that expose the RPC Portmapper service. These attacks are similar to DNS amplification attacks that have been popular for some time. The attacks work like this:

  • The attacker sends a small, forged query to a system running the RPC Portmapper service. The forged query requests that the RPC Portmapper service return a list of all of the RPC services running on that system. Depending on how many services are running on the system, the reply to this query can contain a large amount of data.
  • In the original forged query, the attacker has spoofed the source IP address, setting this address to the address of the intended target of the DDoS attack.
  • When the system running the RPC Portmapper service responds to the query, it sends the response to the spoofed IP address. The victim of the DDoS attack is now flooded with RPC Portmapper data that it did not request.

These attacks are usually multiplied by using many RPC Portmapper servers at the same time. In some cases, the attacks may cause DoS conditions for both the target of the attack (spoofed IP address), as well as the system running the RPC Portmapper service.

Suggested Actions

The information below provides a list of some actions that you should consider in order to protect your systems and networks. This list is not comprehensive and there may be other actions that you choose to take. This is just a sample of some common techniques that can be used to address this NTP DDoS issue.

Find Vulnerable Systems

You should scan your network to find systems that respond to RPC Portmapper queries. You can also use a tool like nmap to scan a network looking for vulnerable systems.

Restrict Access to RPC Portmapper

Unfortunately, responding to these queries is how the RPC Portmapper service is designed to work. In many cases however, there is no need to allow access to the RPC Portmapper service from arbitrary hosts. If possible, system and network administrators should only allow access to the RPC Portmapper from trusted hosts. It is particularly important to disable access from systems on the Internet.

Only Use Portmapper over TCP

The RPC Portmapper service is supported over both TCP and UDP. The UDP protocol is vulnerable to spoofing of source IP addresses that allow these attacks to transpire. If you cannot disable or restrict access to the RPC Portmapper service, consider requiring connections only over TCP.

Limit Unnecessary Network Connections

Consider implementing firewall rules router ACLs, or other traffic filters to limit not only inbound RPC Portmapper traffic, but also outbound traffic as well. If systems on your network do not need to send our RPC Portmapper requests, you should restrict this traffic.

Restrict Access to Other RPC Services

Portmapper is not the only RPC service that can be abused in this manner. Other RPC services such as NFS, NIS, mountd, etc. can also be abused to reflect DDoS attack traffic. Consider taking steps to limit access to these service as well.

Additional Information

  1. http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/
  2. https://threatpost.com/reflection-ddos-attacks-abusing-rpc-portmapper/114318


Revisions

  • V1.0 (August 21, 2015): Advisory published.
Tags