Menu
Gaming services, hosting companies hit with new type of DDoS attack

Gaming services, hosting companies hit with new type of DDoS attack

Level 3 is warning it has seen a sudden spike in DDoS attacks using portmap

Gaming and hosting companies have been hit with a new kind of DDoS attack that could snowball without preventive steps, Level 3 Communications warned on Monday.

Attackers have figured out how to abuse portmap services that have been left openly accessible on the Internet, said Dale Drew, chief security officer for Level 3.

"We think it has the potential to be very, very bad," Drew said.

Portmap, also referred to as RPCbind, is an open-source utility for Unix systems but also is in Windows. It maps network port numbers to available services.

For example, portmap might be used if someone wants to mount a Windows drive from a Unix file system. Portmap would tell Unix where the drive is located and the right port number.

The problem is that many organizations have left portmap openly running on the Internet, allowing attackers to contact it, Drew said.

If portmap is queried, it can in some cases respond with a very large amount of data. Drew said the attackers are contacting open portmap servers, asking queries but then directing the responses to victim organizations. The UDP traffic overwhelms their networks, Drew said.

The method is referred to as a DDoS amplification attack. Depending on the query sent to portmap, the utility will send between seven to 27 times the traffic back -- or to a victim.

In December, attackers conducted devastating DDoS amplification attacks using remote code vulnerabilities in the network time protocol (NTP), which synchronizes clocks across computers.

The NTP DDoS attacks were some of the largest ever seen, Drew said. He thinks the portmap situation could rival the NTP problem, which is why Level 3 decided to go public with its findings.

About 1 million machines are running portmap open to the Internet, Level 3 found.

"We were very surprised to see how many Unix machines were running this [portmap] on the public Internet," Drew said.

The fix, Drew said, is easy: the portmap protocol should be filtered to be protected from the public Internet.

In the last few weeks, Level 3 has been watching the attackers refine their methods. The largest attacks occurred between Aug. 10 and 12, according to a blog post from Level 3.

Level 3 has a list of all the open portmap servers and has contacted its own customers that are running portmap. It has also sent the list to some ISPs so they can notify their customers to fix portmap.

Drew said he has an idea where the attackers are based, but Level 3 doesn't release attribution information since it may impact its ability to track them.

"We are watching how the bad guys react to that and if they evolve and change and modify," he said.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags hosting companiesDDoS attacksecuritygaming servicesLevel 3 Communications

Featured

Slideshows

A snapshot of the Kiwi partners set to shine at the Reseller News Awards

A snapshot of the Kiwi partners set to shine at the Reseller News Awards

With the 2017 Reseller News ICT Industry Awards only weeks away, Reseller News profiles the power line-up of partners set to dominate the biggest night on the channel calendar. ​Ranging from the enterprise, down through the mid-market and small business sectors into the heart of the start-up scene, the end result is the most diverse and wide-ranging partner line-up in the history of the Awards, playing host to the leading innovators of the past 12 months.​

A snapshot of the Kiwi partners set to shine at the Reseller News Awards
Channel celebrates as HP marks 50 years in NZ

Channel celebrates as HP marks 50 years in NZ

HP marked 50 years in New Zealand at an event in the vendor's Auckland's headquarters last night, with a host of key channel figures coming along to celebrate. Photos by HP.

Channel celebrates as HP marks 50 years in NZ
Show Comments