Internet Accessible Portmapper Service

Description

The Portmapper (portmap) service supplies client programs with information about server programs. Portmapper maps Remote Procedure Call (RPC) program and version numbers to transport-specific port numbers (TCP/UDP port numbers). The Portmapper service makes dynamic binding of remote programs possible. Portmapper listens on port 111/TCP and port 111/UDP.

Problem

An Internet Accessible Portmapper Service may be abused for a Distributed Denial-of-Service (DDoS) Reflection/Amplification attack against third parties.

The Portmapper Service (portmap)

Clients programs must find the port numbers of the server programs that they intend to use. Network transport protocols do not provide such a service; they merely provide process-to-process message transfer across a network. A message typically contains a transport address consisting of a network number, a host number, and a port number.

A port is a logical communication channel in a host. A server process receives messages from the network by listening on a port. Ports allow messages receivers to be specified in a way that is independent of the conventions of the receiving operating system. The Portmapper service defines a network service that permits clients to look up the port number of any remote program supported by the server. Because the Portmapper service can be implemented on any transport that provides the equivalent of ports, it works for all clients, all servers and all networks.

A Remote Procedure Call (RPC) is a request-response protocol, that one program can use to request a service from a program located in another computer on a network without having to understand the network's details. RPC is used to call other processes on the remote systems like a local system.

The size of the Portmapper service response to a query, depends upon the RPC services present on the host. In tests conducted, a typical response to a query, 68 byte in size, were between 486 bytes to 1,930 bytes, with the average being 1,241 bytes. These responses represent a bandwidth amplification factor (BAF) of 7.1, 28.4 and 18.3 respectively.

Verification

To establish if a host has an Internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.

rpcinfo (Report RPC Information)

To confirm an Internet accessible Portmapper service, the 'rpcinfo' command can be utilised.

The command generates information about the RPC service running on a system.

Insert the IP address of the host you wish to check for an Internet accessible Portmapper service when invoking the rpcinfo command together with the options as included in the following example.

$ rpcinfo -T udp -p xxx.xxx.xxx.xxx

An Internet accessible Portmapper service will return information similar to that as shown below:

$ rpcinfo -T udp -p xxx.xxx.xxx.xxx
program	vers	proto	port	service
100000	4	tcp	111	portmapper
100000	3	tcp	111	portmapper
100000	2	tcp	111	portmapper
100000	4	udp	111	portmapper
100000	3	udp	111	portmapper
100000	2	udp	111	portmapper
100024	1	udp   38792	status
100024	1	tcp   47361	status

Options
-T  :Specifies the transport service.
udp :User Datagram Protocol.
-p  :host (IP address).

Otherwise, rpcinfo will timeout:

rpcinfo: can't contact portmapper: RPC: Remote system error - Connection timed out.

Solution

If the Portmapper service is not requird, disable it or deinstall it.

If the Portmapper service is required, restrict access to trusted clients or specific IP addresses.

Supplementary Information

Ingress & Egress Filtering

Ingress filtering - is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network.
Egress filtering - limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network.

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link - Ingress & Engress Filtering

UDP Based Denial-of-Service (DoS) Attack

The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a number of properties that makes it susceptible to exploitation for DoS attacks against third parties. Additional information on the components and techniques deployed in an UDP based DoS attack can be found at the following link - UDP Based Denial-of-Service (DoS) Attack

Additional Information

Internet Engineering Task Force (IETF) - RFC1831 - Remote Procedure Call Protocol Spedification
Internet Engineering Task Force (IETF) - RFC1833 - Binding Protocols for ONC RPC Version 2
The Linux Documentation Project - The RPC Portmapper
IBM - Remote Procedure Call (RPC)
IBM - RPC Portmapper Program
IBM - Portmapper and rpcbind