• Technologies
    • Networking
    • Cybersecurity
    • Collaboration
    • Edge Cloud
    • Managed & Professional Services
    • SASE
  • Customer Stories
  • Insights
    • Business Continuity & Disaster Recovery (BCDR)
    • Customer Experience
    • Data-Driven Business
    • Operational Efficiency
    • Tech Trends
  • Industries
    • Financial Services
    • Gaming
    • Healthcare
    • Manufacturing
    • Media & Entertainment
    • Public Sector
    • Higher Education
    • Retail
    • Technology
  • About Lumen
    • Black Lotus Labs
    • Leadership Perspectives
    • Newsroom
    • News Spotlights
  • Technologies
    • Networking
    • Cybersecurity
    • Collaboration
    • Edge Cloud
    • Managed & Professional Services
    • SASE
  • Customer Stories
  • Insights
    • Business Continuity & Disaster Recovery (BCDR)
    • Customer Experience
    • Data-Driven Business
    • Operational Efficiency
    • Tech Trends
  • Industries
    • Financial Services
    • Gaming
    • Healthcare
    • Manufacturing
    • Media & Entertainment
    • Public Sector
    • Higher Education
    • Retail
    • Technology
  • About Lumen
    • Black Lotus Labs
    • Leadership Perspectives
    • Newsroom
    • News Spotlights

A New DDoS Reflection Attack: Portmapper; An Early Warning to the Industry

Black Lotus Labs Posted On August 28, 2015
0
3.6K Views


0
Shares
  • Share On Facebook
  • Tweet It

The faster those of us in the security and network operator space can detect a new attack vector, the faster we can come up with ways to slow or stall the growth of that method. To accomplish this, Level 3 monitors threat indicators across our network and looks for trends in attacks that we mitigate for our customers. We are also in a unique position as a global backbone operator to often see multiple stages of the attack, not just the final stage targeting the victim. This allows us to block the attacker and work with any unsuspecting third parties to mitigate risk in the future.

In the last few weeks, we witnessed an alarming trend in both traffic behavior and DDoS methods with the introduction of a new DDoS vector: Portmapper.

Preliminary Impact

Active DDoS reflection attacks have taken a serious toll on both businesses and consumers. Some of the most notorious are the NTP attacks of early 2014 that, at their peak, resulted in attacks amplified to multiple hundreds of gigabits per second in size. The Portmapper vector is the latest method for these types of attack. It already has been used in a number of attacks, with the largest impact to organizations taking place August 10 through 12.  These attacks targeted only a subset of verticals, primarily focused on gaming, hosting and Internet infrastructure. Level 3’s Threat Research Labs’ goal is for the industry to use this early warning to help stop or slow any future impacts.

Background

Distributed Denial of Service (DDoS) attacks can cripple a variety of resources on the Internet. It is rare that a week goes by without news of some website or company being impacted by an attack. Different attack methods exist, with volumetric attacks consistently popular due to the significant impact and lack of required sophistication.

In recent years we have seen popularity with a variety of UDP based services, especially DNS, NTP and SSDP. Each has been used to allow attackers to both mask their origin and amplify the bandwidth of their volumetric attacks. As each of these vectors has gained in popularity, security researchers and network operators come together to remove open amplification hosts, track down attackers and even block the attack request altogether.

Among other security bulletins on the topic, the US-CERT maintains an alert at https://www.us-cert.gov/ncas/alerts/TA14-017A that provides more details and lists known vectors.

Portmapper

Portmapper (also referred to as rpcbind, portmap or RPC Portmapper) is a mechanism to which Remote Procedure Call (RPC) services register in order to allow for calls to be made to the Internet. Think of it as a directory service for RPC. When a client is looking to find the appropriate service, the Portmapper is queried to assist. This means, when it is queried, the response size varies wildly depending on which RPC services are operating on the host.

As an example:

$ rpcinfo -T udp -p AAA.BBB.CCC.DDD

program vers proto   port

100000    2   tcp    111  portmapper

100000    2   udp    111  portmapper

100003    2   udp   2049  nfs

100003    3   udp   2049  nfs

100003    4   udp   2049  nfs

100003    2   tcp   2049  nfs

100003    3   tcp   2049  nfs

100003    4   tcp   2049  nfs

100021    1   udp  32768  nlockmgr

100021    3   udp  32768  nlockmgr

100021    4   udp  32768  nlockmgr

100021    1   tcp  34848  nlockmgr

100021    3   tcp  34848  nlockmgr

100021    4   tcp  34848  nlockmgr

100005    1   udp 751  mountd

100005    1   tcp  754  mountd

100005    2   udp 751  mountd

100005    2   tcp  754  mountd

100005    3   udp 751  mountd

100005    3   tcp  754  mountd

100024    1   udp 32770  status

100024    1   tcp  47090  status

Portmapper can run on both TCP or UDP port 111, with UDP being required for the spoofed request to receive an amplified response.

This particular response was one of the smaller received, with a 68 byte query resulting in a 486 byte response for an amplification factor of 7.1x. On the high end of the spectrum, we have seen responses as large as 1930 bytes for an amplification of 28.4x.

To quantify an average amplification size, we took more than 300 of the top talkers seen across our network and measured the average response size. The result was approximately 1241 bytes (18.3x factor). This number was then compared to the values seen in example DDoS attacks. We found the value to be 1348 bytes (19.8x amplification).

Obviously, these amplification factors are a troubling size when it comes to a DDoS vector.

Query Variation

Level 3 Threat Research Labs referenced the Portmapper query size as a 68 byte IP packet destined for UDP port 111. However, that was the witnessed behavior of a single test machine being used in the analysis. It is important for people looking to filter these types of requests to understand what other query sizes are being seen in the wild. To do that, we look at our network information to see the distribution of packet sizes destined for UDP port 111.

Over the sample time period (late June through mid-August) the breakdown of packet sizes destined for the Portmapper UDP service were:

68 bytes – 36%
78 bytes – 25%
69 bytes – 19%
… all others are non-significant at 1% or smaller

This represents the concerning sized packets for filtering queries to the Portmapper service.

Internet Behavior

Other reflection attack methods have remained fairly steady in the last few weeks while this particular vector grew substantively.

portmap-highres.jpg

 

Global portmap traffic grew by a factor of 22x when comparing the last 7 days of June with the 7 days, ending August 12.  Clearly the success of using this method for attacks is growing aggressively. However, when Portmapper’s global traffic use is compared with the other popular UDP services, it is clear that the global volume of traffic is still small.

reflection-highres.jpg

Portmapper is so small it barely registers as the red line at the bottom of the graph. This shows, despite its recent growth, it is a great time to begin filtering requests and removing reflection hosts from the Internet before the attack popularity grows larger and causes more damage.

Recommendations

Portmapper represents a new vector for reflection and amplification DDoS attacks across the Internet. All administrators and organizations should review their continued use of it as an available Internet service in their environment. However, it is not the only vector brought to light here. A number of RPC services on vulnerable hosts are also available on UDP ports.  While we have not enumerated each of these directly, they should all be considered a risk to being used for DDoS reflection or amplification.  Of course, their very existence on the Internet should be questioned and disabling them considered a best practice.

We recommend disabling Portmapper along with NFS, NIS and all other RPC services across the open Internet as a primary option. In situations where the services must remain live, firewalling which IP addresses can reach said services and, subsequently, switching to TCP-only are mitigations to avoid becoming an unknowing participant in DDoS attacks in the future.

Post Views: 3,558

Related posts:

  1. CLDAP Reflectors on the Rise Despite Best Practice
0
Shares
  • Share On Facebook
  • Tweet It


CyberthreatsDDoS ProtectionFirewall Protection


Author

Black Lotus Labs

The mission of Black Lotus Labs is to leverage our network visibility to help protect customers and keep the internet clean.

Trending Now
Beyond the Finish Line: How Churchill Downs Racetrack Harnesses Advanced Network Solutions for Seamless Kentucky Derby® Operations
Lumen Customer Stories Team April 23, 2025
Announcing the Lumen strategic partnership with Google Cloud: Transforming the future of cloud and network solutions
Lumen April 9, 2025
You may also like
Bridging the Cybersecurity Communication Gap Between IT Directors and Business Leaders
March 19, 2025
From Security Scares To Network Nirvana: How Micro Center Supercharged Its Cybersecurity
February 26, 2025
Empowering Digital Transformation: Part 4 – Secure Your Future With A Sound Cloud and Edge Data Protection Strategy
February 19, 2025
The Linux Mint Backdoor: How Bad Was It?
Read Next

The Linux Mint Backdoor: How Bad Was It?

  • Categories

    Adaptive Networking

    Connected Security

    Hybrid Cloud

    Communications and Collaboration

    Edge Computing

    SASE


  • Lumen is unleashing the world’s digital potential. We ignite business growth by connecting people, data, and applications – quickly, securely, and effortlessly. As the trusted network for AI, Lumen uses the scale of our network to help companies realize AI’s full potential. From metro connectivity to long-haul data transport to our edge cloud, security, managed service, and digital platform capabilities, we meet our customers’ needs today and as they build for tomorrow.

Services not available everywhere. ©2025 Lumen Technologies. All Rights Reserved.
Press enter/return to begin your search