portmapper DDOS

[Emily Harris <emharris () VASSAR EDU>]

We have received four separate notices about machines on our network
launching DDOS attacks via RPC port mapping on UDP port 111.  Two of them
are under our control and shouldn't be available from the Internet, so we
are blocking access via our edge firewall.  The other two are regular user
machines.  I'm thinking of just blocking access to UDP port 111, but I am
wondering if anyone else had experience this and if that blocking strategy
affecting any other services.  From what I read, RPC port mapping should
work on TCP if UDP is unavailable.  Has anyone done this and experienced
any negative consequences?  Thanks!


Part of notification email (IP redacted) below:

NFOservers.com DDoS notifier <ddos-response () nfoservers com>
4:46 PM (16 hours ago)

A public-facing device on your network, running on IP address x.x.x.x,
operates a RPC port mapping service responding on UDP port 111 and
participated in a large-scale attack against a customer of ours, generating
responses to spoofed requests that claimed to be from the attack target.

Please consider reconfiguring this server in one or more of these ways:

1. Adding a firewall rule to block all access to this host's UDP port 111
at your network edge (it would continue to be available on TCP port 111 in
this case).
2. Adding firewall rules to allow connections to this service (on UDP port
111) from authorized endpoints but block connections from all other hosts.
3. Disabling the port mapping service entirely (if it is not needed).

----
Emily Harris
Information Security Officer, CIS
Vassar College
845-437-7221