Educause Security Discussion mailing list archives
Re: portmapper DDOS
From: "Haselhoff, Brent" <brent.haselhoff () WKU EDU>
Date: Thu, 2 Jun 2016 13:56:34 +0000
We were hit with the same thing yesterday, and I started blocking 111 at the edge. So far everything is still working fine. I think it’s pretty common for 111 to be blocked. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Emily Harris Sent: Thursday, June 02, 2016 8:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] portmapper DDOS We have received four separate notices about machines on our network launching DDOS attacks via RPC port mapping on UDP port 111. Two of them are under our control and shouldn't be available from the Internet, so we are blocking access via our edge firewall. The other two are regular user machines. I'm thinking of just blocking access to UDP port 111, but I am wondering if anyone else had experience this and if that blocking strategy affecting any other services. From what I read, RPC port mapping should work on TCP if UDP is unavailable. Has anyone done this and experienced any negative consequences? Thanks! Part of notification email (IP redacted) below: NFOservers.com DDoS notifier <ddos-response () nfoservers com<mailto:ddos-response () nfoservers com>> 4:46 PM (16 hours ago) [https://mail.google.com/mail/u/0/images/cleardot.gif] [https://mail.google.com/mail/u/0/images/cleardot.gif] [https://mail.google.com/mail/u/0/images/cleardot.gif] [https://mail.google.com/mail/u/0/images/cleardot.gif] A public-facing device on your network, running on IP address x.x.x.x, operates a RPC port mapping service responding on UDP port 111 and participated in a large-scale attack against a customer of ours, generating responses to spoofed requests that claimed to be from the attack target. Please consider reconfiguring this server in one or more of these ways: 1. Adding a firewall rule to block all access to this host's UDP port 111 at your network edge (it would continue to be available on TCP port 111 in this case). 2. Adding firewall rules to allow connections to this service (on UDP port 111) from authorized endpoints but block connections from all other hosts. 3. Disabling the port mapping service entirely (if it is not needed). ---- Emily Harris Information Security Officer, CIS Vassar College 845-437-7221
Current thread:
- portmapper DDOS Emily Harris (Jun 02)
- Re: portmapper DDOS Julian Y Koh (Jun 02)
- Re: portmapper DDOS Alan Amesbury (Jun 02)
- Re: portmapper DDOS Haselhoff, Brent (Jun 02)
- Re: portmapper DDOS Ben Marsden (Jun 02)
- Re: portmapper DDOS Julian Y Koh (Jun 02)