This vector allows an attacker to use the victim as part of a Distributed Denial of Service against other victims across the internet. It is dependent on the victim having certain services available to the internet which should not be internet facing.
- The malicious user scans the internet (or local network) for vulnerable servers and builds a list of these patsies which can be used in the DDOS.
- The malicious user sends a large number of UDP RPC Portmapper requests to the vulnerable patsy servers, which forges headers indicating that the origin of the request was the target on a specific port.
- Vulnerable servers respond to the requests to the forged address of the target found in the header. The target is overwhelmed with UDP traffic.
No prior authentication is needed to create a successful exploit
This attack leverages intended functionality of the Portmapper service when configured to allow UDP queries. The DDOS works because UDP headers can be spoofed, and repeated UDP service requests to the vulnerable hosts with a forged source address belonging to the target cause it to respond to the target instead of the attacker. The hosts respond to the target with the requested information, which is 7-55 times the size of the original forged request. This is a standard DDOS intended to overwhelm network / CPU of the target.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upon discovery of a successful exploit against a target, customers are advised to take normal action to prevent further DDOS of their services, such as:
- Apply stateful UDP inspection to reduce impact on critical services on your border firewall or border router (like reflexive ACL).
- Using Border Gateway Protocol (BGP), create a Remotely Triggered Blackhole, preferably in coordination with your upstream provider or ISP.
- Maintain a list of primary upstream provider emergency contacts to coordinate response to the attack. If you are an upstream provider, conduct mitigation in coordination with your downstream customers.
Upon discovery of a successful exploit of a customer-owned patsy to DDOS a target, customers are expected to take normal reasonable action to prevent further abuse of their services. We recommend disabling Portmapper along with NFS, NIS, and all other RPC services across the open internet as a primary option. In situations where the services must remain live, firewalling which IP addresses can reach said services, and subsequently switching to TCP-only are mitigations to avoid becoming an unknowing participant in DDoS attacks in the future.