US-based carrier and global backbone operator Level 3 has spotted a new vector being used for DDoS reflection attacks: Portmapper (or Portmap). The Portmap service redirects the client to the proper port number so it can communicate with the requested Remote Procedure Call (RPC) service. As several UDP-based services (DNS, NTP) before it, it is being used by attackers to hide the origin of the attack and to amplify its volume. As per security researchers, portmapper can run on both TCP or UDP port 111, with UDP being required for the spoofed request to receive an amplified response. That is because UDP is a connection-less protocol that does not validate source IP addresses, and an attacker can easily forge a request to include a target's IP address. Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request. US-CERT warned earlier this year, and provided a list of UDP protocols have been identified as potential attack vectors for this type of attacks. Portmap has also been added to the list.
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street