Skip to content Skip to footer

A Map to DDoS Devastation: Attackers Exploit Portmap for New DDoS Amplification Attack

Hackers and other online attackers aren’t deserving of many compliments – their business being such an unsavory one. However, there’s no denying that a select number of these internet criminals are creative and almost boundlessly ingenious when it comes to exploiting internet protocol in order to wreak havoc on targeted websites and services.

In 2015 it seems that just as website owners and other IT security specialists get one DDoS threat under control, up pops a brand new one. Like a version of the game Whack-a-Mole, only failing to whack enough moles at a carnival won’t cost you in the tens of thousands of dollars the way failing to protect against a DDoS attack will.

Here’s everything you need to know about a new breed of DDoS attack that’s been using portmap to hit targets with massive amounts of bandwidth – how it works, why this particular DDoS situation has the potential to get very bad, and what you need to do to protect your website.

The key to the portmap

In order to understand how these DDoS attacks work, you must first understand portmap. Portmap is an open-source utility used in Unix systems as well as Windows, technically known as an Open Network Computing Remote Procedure Call service (ONC RPC).

ONC RPC is an application layer protocol, which means it is used by applications to provide user services or exchange application data. Remote Procedure Call services make it possible for a program to request a service from a program that is located on another computer on the network. Portmap essentially functions like a directory for RPC services. When a client is looking for a specific service, it queries portmap, which literally maps the client to the correct port.

One of the issues with portmap is that its responses aren’t standardized and vary greatly depending on the types of RPC services that are operating on the host. This comes up in the next section.

The key to portmap-exploiting DDoS amplification attacks

Because portmap responses can vary so greatly in size, attackers have figured out that they can send simple queries to portmap and point the responses of large amounts of data at a target website, server or other online service by spoofing the IP of the originating request, thereby saturating the target’s bandwidth and rendering it unavailable to legitimate users.

These DDoS attacks are classified as amplification attacks because the query to response ratios have been found to be between 1:7 and 1:27. Portmap uses both Transmission Control Protocol and User Datagram Protocol, but in order for the requests to receive the amplified response necessary for the attacks, UDP is required. According to Incapsula DDOS glossary, UDP is vulnerable to this kind of abuse because it is a sessionless and connectionless network protocol.

Thus far it has largely been gaming websites and website hosting services that have been targeted by these attacks.

According to the internet security company that noticed this new trend in DDoS attacks, they are reminiscent of devastating amplification attacks that exploited vulnerabilities in Network Time Protocol back in December. These NTP attacks were some of the largest ever seen, and because upwards of one million portmap services are currently open to the internet, the attackers using portmap have upwards of one million opportunities.

How to protect others from portmap DDoS attacks

A big part of the solution, in this case, is not being part of the problem. The organization that discovered these attacks recommends disabling portmap along with all other RPC services from the open internet. In the event that your organization requires these services remain live, you should protect them with firewalls that dictate which IP addresses can reach these services. You could also consider making these services TCP-only.

How to protect yourself

Preventing attacks on others is all well and good, and of course that’s something you want to do. But what’s probably more important to you is protecting your website, servers and other online networks from DDoS attacks.

After all, an unmitigated DDoS attack can cost an organization $40,000 per hour, and with DDoS attacks increasingly lasting for days and weeks, even months in some cases, that quickly becomes an almost unfathomable bill. DDoS attacks can also damage software and hardware as well as consumer trust, and can result in the theft of customer information, financial information and intellectual property.

In terms of the portmap DDoS attacks specifically, this is a threat that is unlikely to disappear anytime soon. There are an estimated one million vulnerable systems out there just waiting to be exploited, with owners that haven’t taken the necessary precautions or put the necessary firewalls in place yet and can’t necessarily be counted on to complete that task.

In the year 2015, professional DDoS mitigation is a necessity. As much as you may want to look down on hackers and other ne’er-do-wells, the truth is they are clever, and so are their attacks. DDoS attacks get increasingly sophisticated and increasingly devastating with every month that passes; don’t try to whack all those moles yourself. Let the experts handle it.