New strain of DDoS attack spotted in the wild

Hacked

One web hosting company was last month used for a trial run of a new type of damaging distributed denial of service (DDoS) attack.

First reported by Threat Post, one services provider noticed so-called beta versions of the reflection DDoS attack that sees victims sent large amounts of responses from Portmapper servers that engulf bandwidth, making websites and web-based services unreachable.

Level 3 Communications of Colorado noticed unusual traffic on its servers starting in the middle of June in what it believes were beta runs of the attacks that were carried out against specific targets between August 10 and 12.

The attacks themselves involve sending UDP packets to a Portmapper server with a forged originating IP that belongs to the victim. The server then sends back a list of networking services to map to and that has ranged from 7-times to 28-times the originating request. One researcher admitted that there are no actual vulnerabilities to patch with Portmapper thus making it hard to fix the problem.

How to mitigate

Level 3 has been notifying other hosting providers of the attacks by giving them a list of the 1.1 million Portmapper servers that are in the wild. Due to the fact most of the attacks have been similar in size, they are quite simple to filter out from networks and Level 3 has been helpful enough to provide the static query to create firewall controls to counter the problem.

To prevent the attack causing any more damage, Level 3 is advising people to disable Portmapper and RPC services on the internet if they don't need to be open. Otherwise they should firewall specific IPs to reach the services.