Security watchers have warned about a new class of DDoS amplification attack threat which only exists because too many users are failing to follow basic safeguards.
Improperly configured services such as DNS or Network Time Protocol (NTP) have been exploited to launch a string of DDoS attacks over the last couple of years, the most high-profile of which battered Spamhaus and buffeted internet exchanges back in March 2013. Over recent weeks, another service – Portmap – has become a vector of DDos attacks, US-based carrier Level 3 warned.
Attacks using the technique and monitored by Level 3 last week focused on gaming, hosting and internet infrastructure verticals.
Unlike DNS and NTP, Portmap has no business being exposed on internet-facing systems. Disabling or blocking internet-facing Portmap services using firewalls is trivial, but too many net admins have overlooked this well-understood practice, creating a resource which hackers can abuse.
Tod Beardsley, security engineering manager at Rapid7, the firm behind Metasploit, commented: “Portmap (port 111/UDP) used to be a common service on many UNIX-like distributions, including Linux and Solaris. To hear that it’s part of a ‘new DDoS’ attack is very disorienting, as Portmap attacks are by no means new.”
View full story