Educause Security Discussion mailing list archives
Re: portmapper DDOS
From: Ben Marsden <bmarsden () SMITH EDU>
Date: Thu, 2 Jun 2016 10:41:58 -0400
We got the same alert message. I implemented a block on port 111/udp inbound immediately, and am trying to see any reason why I shouldn't also block /tcp as well. (It's hard to see any potentially legitimate usage needles in the port 111 log haystack.) -- Ben On Thu, Jun 2, 2016 at 9:56 AM, Haselhoff, Brent <brent.haselhoff () wku edu> wrote:
We were hit with the same thing yesterday, and I started blocking 111 at the edge. So far everything is still working fine. I think it’s pretty common for 111 to be blocked. *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Emily Harris *Sent:* Thursday, June 02, 2016 8:30 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] portmapper DDOS We have received four separate notices about machines on our network launching DDOS attacks via RPC port mapping on UDP port 111. Two of them are under our control and shouldn't be available from the Internet, so we are blocking access via our edge firewall. The other two are regular user machines. I'm thinking of just blocking access to UDP port 111, but I am wondering if anyone else had experience this and if that blocking strategy affecting any other services. From what I read, RPC port mapping should work on TCP if UDP is unavailable. Has anyone done this and experienced any negative consequences? Thanks! Part of notification email (IP redacted) below: NFOservers.com DDoS notifier <ddos-response () nfoservers com> 4:46 PM (16 hours ago) A public-facing device on your network, running on IP address x.x.x.x, operates a RPC port mapping service responding on UDP port 111 and participated in a large-scale attack against a customer of ours, generating responses to spoofed requests that claimed to be from the attack target. Please consider reconfiguring this server in one or more of these ways: 1. Adding a firewall rule to block all access to this host's UDP port 111 at your network edge (it would continue to be available on TCP port 111 in this case). 2. Adding firewall rules to allow connections to this service (on UDP port 111) from authorized endpoints but block connections from all other hosts. 3. Disabling the port mapping service entirely (if it is not needed). ---- Emily Harris Information Security Officer, CIS Vassar College 845-437-7221
-- [}- Ben ============================================ Ben Marsden : Information Security Director, CISSP ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063 bmarsden [at] smith [.] edu 413 [.] 585 [.] 4479 --------------------------------------------------------------------- =--> Any request to reveal your Smith password via email is fraudulent!
Current thread:
- portmapper DDOS Emily Harris (Jun 02)
- Re: portmapper DDOS Julian Y Koh (Jun 02)
- Re: portmapper DDOS Alan Amesbury (Jun 02)
- Re: portmapper DDOS Haselhoff, Brent (Jun 02)
- Re: portmapper DDOS Ben Marsden (Jun 02)
- Re: portmapper DDOS Julian Y Koh (Jun 02)