Guide to Portmapper Amplification Issues

What is Portmapper?

The port mapper (rpc.portmap or just portmap, or rpcbind) is an Open Network Computing Remote Procedure Call (ONC RPC) service that runs on network nodes providing other ONC RPC services.

A host may connect to a server that supports the Portmapper Protocol on either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number 111. 

You can read more details about this protocol:

Amplification Attack Description:

The UDP-based Portmapper protocol can be abused to amplify denial-of-service attack traffic. Servers running with Portmapper are susceptible to a distributed reflected denial-of-service (DRDoS) attack.

The attacker generates a large number of UDP packets with a spoofed source IP address to make it appear as though the packets are coming from the intended target. These UDP packets are sent to Portmapper servers (port 111).

How to verify if your server/device is vulnerable

These are some output examples if the Portmapper UDP port is exploitable (xx.xx.xx.xx is the server IP)

# nmap -Pn -sU -p U:111 --script=rpcinfo xx.xx.xx.xx

Nmap scan report for xx.xx.xx.xx
111/udp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 45676/udp status
|_ 100024 1 53787/tcp status

or, alternatively:
# rpcinfo -s xx.xx.xx.xx
  program version(s) netid(s) service owner
  100000 2,3,4 local,udp,tcp,udp6,tcp6 portmapper superuser
  100024 1 tcp6,udp6,tcp,udp status 106


Different options are available to protect your server or device:

1) Disable the Portmapper service if you are not using it. This is the easiest and the most effective solution.
(If you are using NFSv3 you should consider the second option. However NFSv4 has no interaction with portmapper.)

2) Configure your firewall to restrict incoming requests on portmapper service to a specific list of hosts/networks, or block them completely. Please make sure that the firewall rule will be saved and reloaded after a server reboot.




Article is closed for comments.
Powered by Zendesk