Understanding Portmapper Amplification issues

What is Portmapper?

The port mapper (rpc.portmap or just portmap, or rpcbind) is an Open Network Computing Remote Procedure Call (ONC RPC) service that runs on network nodes providing other ONC RPC services.

A host may connect to a server that supports the Portmapper Protocol on either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number 111. 

You can read more details about this protocol: https://en.wikipedia.org/wiki/Portmap

Amplification Attack Description:

The UDP-based Portmapper protocol can be abused to amplify denial-of-service attack traffic. Servers running with Portmapper are susceptible to a distributed reflected denial-of-service (DRDoS) attack.

The attacker generates a large number of UDP packets with a spoofed source IP address to make it appear as though the packets are coming from the intended target. These UDP packets are sent to Portmapper servers (port 111).

How to verify if your server/device is vulnerable

These are some output examples:

1) The Portmapper UDP port is exploitable (xx.xx.xx.xx is the server IP)

rpcinfo -T udp -p xx.xx.xx.xx
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  49500  status
    100024    1   tcp  47792  status
[...]

Resolution

Different options are available to protect your server or device:

1) Disable the Portmapper service if you are not using it. This is the easiest and the most effective solution. This might however impact the NFS service.

2) Configure your firewall to restrict incoming requests on portmapper service to a specific list of hosts/networks, or block them completely. Please make sure that the firewall rule will be saved and reloaded after a server reboot.

References:

  1. https://www.us-cert.gov/ncas/alerts/TA14-017Am
  2. https://tools.ietf.org/html/rfc1833
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk