News about security breaches affecting major companies is now becoming commonplace. Just two days ago, hackers posted sensitive information about users of Ashley Madison. Now Toronto-based telecom vendor Level 3 Communications has revealed a new form of DDoS reflection attack, dubbed Portmap.
According to the company, hosting and gaming companies are the ones which have been hit the most in the past few weeks. If this vulnerability is not checked or at least slowed down, it could affect several other verticals. Portmap is a mechanism which allows Remote Procedure Call (RPC) services to register in order to make calls to the Internet. It is like a phone directory service for RPC. When a client needs a particular service, the directory is searched through in order to find the right combination. It works on both Unix and Windows systems.
Here’s an example of how it works. Suppose you wish to mount a Windows drive on a Unix system. Portmap will kick in and tell Unix where the drive is actually placed and provide it with the required port number.
Hackers are able to exploit Portmap because many organizations have left it running openly on the web. Hence, the hackers can use it to query a large amount of information and overwhelm the systems. Besides that, the hackers query and redirect the received data back to the organization’s enterprise systems which paralyzes the networks.
The method is amplified by querying large amounts of data and the Portmap system sending back seven to 27 times the traffic back to the organization. The company indicated that other reflection based DDoS attacks have remained fairly steady in numbers while Portmap has increased exponentially in the past few weeks.
Level 3 findings suggest that there are over a million machines that run Portmap openly on the Internet. The simple solution to the problem would be to filter them away from the Internet. Besides Portmap there are several other RPC related services which connect to the internet. These too could be used for a DDoS attack. Removing their access to the Internet should be considered a best practice, concludes the blog post.
