Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
What is an 'Open Portmapper Server'?
The port mapper (rpc.portmap or rpcbind) is a remote procedure call (RPC) service running on TCP or UDP port 111 that runs on servers to provide information about running services and their corresponding port numbers, such as NFS.
Why would this be bad?
Once an attacker discovers an active port 111 on a device, he can use this information to learn about running services, which is a very important first step for a hacking attack.
Additionally, hackers have also found this feature useful in performing a special type of DDoS attack called an 'Amplification Attack'.
The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.
That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.
But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet 'from' a forged source IP address and have the server (or servers) send large replies to the victim.
Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet.
Recommended action
We recommend you to only allow RPC calls from trusted sources. This can be achieved by dropping all traffic for RPC services on your local firewall and only allowing connections from trusted IP addresses.
Users browsing this forum: No registered users and 134 guests