Re: portmapper DDOS

[Ben Marsden <bmarsden () SMITH EDU>]

We got the same alert message.   I implemented a block on port 111/udp
inbound immediately, and am trying to see any reason why I shouldn't also
block /tcp as well.  (It's hard to see any potentially legitimate usage
needles in the port 111 log haystack.)

-- Ben


On Thu, Jun 2, 2016 at 9:56 AM, Haselhoff, Brent <brent.haselhoff () wku edu>
wrote:

> We were hit with the same thing yesterday, and I started blocking 111 at
> the edge.  So far everything is still working fine.  I think it’s pretty
> common for 111 to be blocked.
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Emily Harris
> *Sent:* Thursday, June 02, 2016 8:30 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] portmapper DDOS
>
>
>
> We have received four separate notices about machines on our network
> launching DDOS attacks via RPC port mapping on UDP port 111.  Two of them
> are under our control and shouldn't be available from the Internet, so we
> are blocking access via our edge firewall.  The other two are regular user
> machines.  I'm thinking of just blocking access to UDP port 111, but I am
> wondering if anyone else had experience this and if that blocking strategy
> affecting any other services.  From what I read, RPC port mapping should
> work on TCP if UDP is unavailable.  Has anyone done this and experienced
> any negative consequences?  Thanks!
>
>
>
>
>
> Part of notification email (IP redacted) below:
>
>
> NFOservers.com DDoS notifier <ddos-response () nfoservers com>
>
> 4:46 PM (16 hours ago)
>
>
>
> A public-facing device on your network, running on IP address x.x.x.x,
> operates a RPC port mapping service responding on UDP port 111 and
> participated in a large-scale attack against a customer of ours, generating
> responses to spoofed requests that claimed to be from the attack target.
>
> Please consider reconfiguring this server in one or more of these ways:
>
> 1. Adding a firewall rule to block all access to this host's UDP port 111
> at your network edge (it would continue to be available on TCP port 111 in
> this case).
> 2. Adding firewall rules to allow connections to this service (on UDP port
> 111) from authorized endpoints but block connections from all other hosts.
> 3. Disabling the port mapping service entirely (if it is not needed).
>
>
>
> ----
>
> Emily Harris
>
> Information Security Officer, CIS
>
> Vassar College
>
> 845-437-7221



-- 
[}- Ben
============================================
Ben Marsden : Information Security Director, CISSP
ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
bmarsden [at] smith [.] edu     413 [.] 585 [.] 4479
---------------------------------------------------------------------
=--> Any request to reveal your Smith password via email is fraudulent!