Gaming services, hosting companies hit with new type of DDoS attack

Level 3 is warning it has seen a sudden spike in DDoS attacks using portmap

Gaming and hosting companies have been hit with a new kind of DDoS attack that could snowball without preventive steps, Level 3 Communications warned on Monday.

Attackers have figured out how to abuse portmap services that have been left openly accessible on the Internet, said Dale Drew, chief security officer for Level 3.

"We think it has the potential to be very, very bad," Drew said.

Portmap, also referred to as RPCbind, is an open-source utility for Unix systems but also is in Windows. It maps network port numbers to available services.

For example, portmap might be used if someone wants to mount a Windows drive from a Unix file system. Portmap would tell Unix where the drive is located and the right port number.

The problem is that many organizations have left portmap openly running on the Internet, allowing attackers to contact it, Drew said.

If portmap is queried, it can in some cases respond with a very large amount of data. Drew said the attackers are contacting open portmap servers, asking queries but then directing the responses to victim organizations. The UDP traffic overwhelms their networks, Drew said.

The method is referred to as a DDoS amplification attack. Depending on the query sent to portmap, the utility will send between seven to 27 times the traffic back -- or to a victim.

In December, attackers conducted devastating DDoS amplification attacks using remote code vulnerabilities in the network time protocol (NTP), which synchronizes clocks across computers.

The NTP DDoS attacks were some of the largest ever seen, Drew said. He thinks the portmap situation could rival the NTP problem, which is why Level 3 decided to go public with its findings.

About 1 million machines are running portmap open to the Internet, Level 3 found.

"We were very surprised to see how many Unix machines were running this [portmap] on the public Internet," Drew said.

The fix, Drew said, is easy: the portmap protocol should be filtered to be protected from the public Internet.

In the last few weeks, Level 3 has been watching the attackers refine their methods. The largest attacks occurred between Aug. 10 and 12, according to a blog post from Level 3.

Level 3 has a list of all the open portmap servers and has contacted its own customers that are running portmap. It has also sent the list to some ISPs so they can notify their customers to fix portmap.

Drew said he has an idea where the attackers are based, but Level 3 doesn't release attribution information since it may impact its ability to track them.

"We are watching how the bad guys react to that and if they evolve and change and modify," he said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags hosting companiesDDoS attacksecuritygaming servicesLevel 3 Communications

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?