Menu
Gaming services, hosting companies hit with new type of DDoS attack

Gaming services, hosting companies hit with new type of DDoS attack

Level 3 is warning it has seen a sudden spike in DDoS attacks using portmap

Gaming and hosting companies have been hit with a new kind of DDoS attack that could snowball without preventive steps, Level 3 Communications warned on Monday.

Attackers have figured out how to abuse portmap services that have been left openly accessible on the Internet, said Dale Drew, chief security officer for Level 3.

"We think it has the potential to be very, very bad," Drew said.

Portmap, also referred to as RPCbind, is an open-source utility for Unix systems but also is in Windows. It maps network port numbers to available services.

For example, portmap might be used if someone wants to mount a Windows drive from a Unix file system. Portmap would tell Unix where the drive is located and the right port number.

The problem is that many organizations have left portmap openly running on the Internet, allowing attackers to contact it, Drew said.

If portmap is queried, it can in some cases respond with a very large amount of data. Drew said the attackers are contacting open portmap servers, asking queries but then directing the responses to victim organizations. The UDP traffic overwhelms their networks, Drew said.

The method is referred to as a DDoS amplification attack. Depending on the query sent to portmap, the utility will send between seven to 27 times the traffic back -- or to a victim.

In December, attackers conducted devastating DDoS amplification attacks using remote code vulnerabilities in the network time protocol (NTP), which synchronizes clocks across computers.

The NTP DDoS attacks were some of the largest ever seen, Drew said. He thinks the portmap situation could rival the NTP problem, which is why Level 3 decided to go public with its findings.

About 1 million machines are running portmap open to the Internet, Level 3 found.

"We were very surprised to see how many Unix machines were running this [portmap] on the public Internet," Drew said.

The fix, Drew said, is easy: the portmap protocol should be filtered to be protected from the public Internet.

In the last few weeks, Level 3 has been watching the attackers refine their methods. The largest attacks occurred between Aug. 10 and 12, according to a blog post from Level 3.

Level 3 has a list of all the open portmap servers and has contacted its own customers that are running portmap. It has also sent the list to some ISPs so they can notify their customers to fix portmap.

Drew said he has an idea where the attackers are based, but Level 3 doesn't release attribution information since it may impact its ability to track them.

"We are watching how the bad guys react to that and if they evolve and change and modify," he said.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securityLevel 3 CommunicationsDDoS attackgaming serviceshosting companies

Featured

Slideshows

Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Show Comments