Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Portmapper is being used as a DDoS vector (From SANS/Level3)  (Read 2015 times)

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Portmapper is being used as a DDoS vector (From SANS/Level3)
« on: August 18, 2015, 10:04:29 PM »

Heads up re: a new DDoS vector that is growing in use.
(Probably for the more techie kitzen  ;D)

A New DDoS Reflection Attack: Portmapper; An Early Warning to the Industry
http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 32547
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Portmapper is being used as a DDoS vector (From SANS/Level3)
« Reply #1 on: August 21, 2015, 12:39:14 PM »

I'm afraid I wasnt quite sure what they are getting at or whom that was aimed at.  If it related to websites, then thats why I pay for a fully managed service because I dont have the time nor enough knowledge to ensure everything is configured securely.

But re portmapper.. isnt that something to do with UPnP ?  or have I got hold of the wrong end of the stick (possibly).
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Re: Portmapper is being used as a DDoS vector (From SANS/Level3)
« Reply #2 on: August 21, 2015, 01:11:33 PM »

It was a 'heads-up' to everyone to keep an eye of what portmapper is doing.
(Original article was aimed more at the Service industries but also of interest to anyone who may be running their own web server.)

It is a common port used on many systems as part of running everyday applications. (uPNP (as you stated), Remote Procedure calls)

Quote
Random quote on Portmapper:
The port mapper (rpc.portmap or just portmap, or rpcbind) is an Open Network Computing Remote Procedure Call (ONC RPC) service that runs on network nodes that provide other ONC RPC services.

Version 2 of the port mapper protocol maps ONC RPC program number/version number pairs to the network port number for that version of that program. When an ONC RPC server is started, it will tell the port mapper, for each particular program number/version number pair it supports for a particular transport protocol (TCP or UDP), what port number it is using for that particular program number/version number pair on that transport protocol. Clients wishing to make an ONC RPC call to a particular version of a particular ONC RPC service must first contact the port mapper on the server machine to determine the actual TCP or UDP port to use.

Versions 3 and 4 of the protocol, called the rpcbind protocol, map a program number/version number pair, and an indicator that specifies a transport protocol, to a transport-layer endpoint address for that program number/version number pair on that transport protocol.

The port mapper service always uses TCP or UDP port 111; a fixed port is required for it, as a client would not be able to get the port number for the port mapper service from the port mapper itself.

The aim of the people (mis)using this port is to slip past the standard protections in place because portmapper has to be let through firewalls etc in certain circumstances for many systems to operate.
(i.e. if you cannot call port 111 you cannot discover the port numbers you are allowed to use)
It is an extension of the idea to use common ports in 'bad' ways under the hope that things may sneak past the 'gate-keeper' because the port used and/or protocol used is not expected to be hostile.

The fact that the number of attacks are increasing shows that it is considered to be a target worth going for.
Thought it might be useful to warn anyone who may be running their own web server etc as it may be unexpected.
Logged

ejs

  • Kitizen
  • ****
  • Posts: 2058
Re: Portmapper is being used as a DDoS vector (From SANS/Level3)
« Reply #3 on: August 21, 2015, 01:42:00 PM »

I think this is unrelated to UPnP, and isn't likely to be present in a router.
Logged

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Re: Portmapper is being used as a DDoS vector (From SANS/Level3)
« Reply #4 on: August 21, 2015, 02:04:49 PM »

You are right about the uPNP ... d'oh
I saw a uPNP Portmapper and thought maybe it is uPNP as well.  :-[
(Never looked at uPNP and to be honest never use it. I like to control what my devices do and not trust software to get it right by 'magic'.  ;D )
I was not specifically thinking about routers.
Many people have devices connected directly to the internet, such as web servers
Not everyone is running a managed service.

It was just a heads-up on a new DDos vector that was being seen.
It doesn't apply to me but might to someone else.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 6299
Re: Portmapper is being used as a DDoS vector (From SANS/Level3)
« Reply #5 on: August 22, 2015, 09:07:16 AM »

I block the RPC stuff already on any server I manage, but this is a good pre warning by the company.

It also proves that its good practice to remove or disable any service of a machine you dont use, so e.g. if you dont need nfs, then remove the associated services.  As everything is always a potential attack vector.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Re: Portmapper is being used as a DDoS vector (From SANS/Level3)
« Reply #6 on: August 22, 2015, 02:30:50 PM »

Quote
remove or disable any service of a machine you don't use
@Chrysalis
Spot on !

Something I have always carried with me from my Unix days.  ;D

(Another reason why I don't like Win10. MS can switch on anything they like.)  :( >:(
Logged