DDoS reflection attack vulnerability in exposed portmapper service

Abstract:

The Portmapper, also known as Remote Procedure Call Bind (RPCBind), is a mechanism where Internet address ports can be assigned as a program running on a remote computer to act as if it is running on the local computer. Openly accessible Portmapper services can be abused for DDoS reflection attacks against third parties, in addition to disclosing large amounts of information about the system.

Technical Description:

The Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening. An attacker may use it to enumerate RPC services and can allow remote 3rd party attackers to gain unauthorised access and perform Distributed Denial of Service (DDoS) attacks against target machines. A remote attacker can leverage this flaw by sending a specially crafted request to an affected Portmapper server.

Vulnerability Assessment:

To verify the vulnerability, it is advised to execute any one command mentioned below from external network:

Command:

• nmap -sU -sV <IP address> -p 111
• Otherwise, to check if a Portmapper service is openly accessible from the Internet, the tool 'rpcinfo' can be used: rpcinfo -T udp -p <IP address>

An openly accessible Portmapper service will return a response including information such as program, version, protocol details etc.

Otherwise, rpcinfo will run into a timeout.

Countermeasures and Best practices for prevention:

• It is advised to disable the Portmapper service (portmap, rpcbind) across the open Internet as a primary option.

On Debian/Ubuntu based Linux systems, the portmapper service can be removed using the command : # apt-get remove rpcbind

After prompt, press 'y' to confirm

• In case, the service is in use, it is advised to restrict the access to trusted clients, for example by blocking incoming connections to port 111/tcp and 111/udp on firewall, and subsequently, switching to TCP-only are mitigations to avoid becoming an unknowing participant in DDoS attacks in the future.

Solution:

Best practices for securing portmapper services are available at:

• https://www.debian.org/doc/manuals/securing-debian-manual/rpc.en

References:

• https://www.skywaywest.com/2021/01/what-is-an-open-portmapper-vulnerability/
• https://us-cert.cisa.gov/ncas/alerts/TA14-017A
• https://blog.lumen.com/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/
• https://www.virginmedia.com/help/open-portmapper-vulnerability