Educause Security Discussion mailing list archives

Re: portmapper DDOS

From: "Haselhoff, Brent" <brent.haselhoff () WKU EDU>
Date: Thu, 2 Jun 2016 13:56:34 +0000

We were hit with the same thing yesterday, and I started blocking 111 at the edge.  So far everything is still working 
fine.  I think it’s pretty common for 111 to be blocked.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Emily 
Harris
Sent: Thursday, June 02, 2016 8:30 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] portmapper DDOS

We have received four separate notices about machines on our network launching DDOS attacks via RPC port mapping on UDP 
port 111.  Two of them are under our control and shouldn't be available from the Internet, so we are blocking access 
via our edge firewall.  The other two are regular user machines.  I'm thinking of just blocking access to UDP port 111, 
but I am wondering if anyone else had experience this and if that blocking strategy affecting any other services.  From 
what I read, RPC port mapping should work on TCP if UDP is unavailable.  Has anyone done this and experienced any 
negative consequences?  Thanks!

Part of notification email (IP redacted) below:

NFOservers.com DDoS notifier <ddos-response () nfoservers com<mailto:ddos-response () nfoservers com>>

4:46 PM (16 hours ago)
[https://mail.google.com/mail/u/0/images/cleardot.gif]

[https://mail.google.com/mail/u/0/images/cleardot.gif]
[https://mail.google.com/mail/u/0/images/cleardot.gif]

[https://mail.google.com/mail/u/0/images/cleardot.gif]

A public-facing device on your network, running on IP address x.x.x.x, operates a RPC port mapping service responding 
on UDP port 111 and participated in a large-scale attack against a customer of ours, generating responses to spoofed 
requests that claimed to be from the attack target.

Please consider reconfiguring this server in one or more of these ways:

1. Adding a firewall rule to block all access to this host's UDP port 111 at your network edge (it would continue to be 
available on TCP port 111 in this case).
2. Adding firewall rules to allow connections to this service (on UDP port 111) from authorized endpoints but block 
connections from all other hosts.
3. Disabling the port mapping service entirely (if it is not needed).

----
Emily Harris
Information Security Officer, CIS
Vassar College
845-437-7221

Current thread:

portmapper DDOS Emily Harris (Jun 02)
- Re: portmapper DDOS Julian Y Koh (Jun 02)
  - Re: portmapper DDOS Alan Amesbury (Jun 02)
- Re: portmapper DDOS Haselhoff, Brent (Jun 02)
  - Re: portmapper DDOS Ben Marsden (Jun 02)