Gaming services, hosting companies hit with new type of DDoS attack
Gaming and hosting companies have been hit with a new kind of DDoS attack that could snowball without preventive steps, Level 3 Communications warned on Monday.
Attackers have figured out how to abuse portmap services that have been left openly accessible on the Internet, said Dale Drew, chief security officer for Level 3.
“We think it has the potential to be very, very bad,” Drew said.
Portmap, also referred to as RPCbind, is an open-source utility for Unix systems but also is in Windows. It maps network port numbers to available services.
For example, portmap might be used if someone wants to mount a Windows drive from a Unix file system. Portmap would tell Unix where the drive is located and the right port number.
The problem is that many organizations have left portmap openly running on the Internet, allowing attackers to contact it, Drew said.
If portmap is queried, it can in some cases respond with a very large amount of data. Drew said the attackers are contacting open portmap servers, asking queries but then directing the responses to victim organizations. The UDP traffic overwhelms their networks, Drew said.
The method is referred to as a DDoS amplification attack. Depending on the query sent to portmap, the utility will send between seven to 27 times the traffic back — or to a victim.
In December, attackers conducted devastating DDoS amplification attacks using remote code vulnerabilities in the network time protocol (NTP), which synchronizes clocks across computers.
The NTP DDoS attacks were some of the largest ever seen, Drew said. He thinks the portmap situation could rival the NTP problem, which is why Level 3 decided to go public with its findings.
About 1 million machines are running portmap open to the Internet, Level 3 found.
“We were very surprised to see how many Unix machines were running this [portmap] on the public Internet,” Drew said.
The fix, Drew said, is easy: the portmap protocol should be filtered to be protected from the public Internet.
In the last few weeks, Level 3 has been watching the attackers refine their methods. The largest attacks occurred between Aug. 10 and 12, according to a blog post from Level 3.
Level 3 has a list of all the open portmap servers and has contacted its own customers that are running portmap. It has also sent the list to some ISPs so they can notify their customers to fix portmap.
Drew said he has an idea where the attackers are based, but Level 3 doesn’t release attribution information since it may impact its ability to track them.
“We are watching how the bad guys react to that and if they evolve and change and modify,” he said.