Incident Response, TDR

DDoS attacks enter new frontier with Portmapper

Amplification distributed denial-of-service (DDoS) attacks have worked well for the past couple of years – particularly when it comes to Network Time Protocol (NTP) attacks – and have gained traction among less tech savvy individuals due to the release of automated tools. 

Over this past summer, however, a new attack vector has caught on, and while it's still used relatively infrequently, at least one security firm believes it'll soon be extremely prominent.

Calling the Portmapper attack vector an “alarming trend,” Level 3 Communications issued a warning to other security firms and professionals in a blog post earlier this week.

Millions of servers run an open portmapper service, leaving them ripe for exploitation, Dale Drew, CSO at Level 3, told, adding that perpetrators behind this attack vector appear to be trying to develop an “automated capability,” and find the “best way to make it work.”

Within days of discovering the Portmapper amplification attack, efforts to use it increased significantly. When comparing the last week of June to a week in early August, global portmap traffic grew by a factor of 22 times, the company's post stated. 

Most efforts appear to target gaming and web hosting providers, particularly because these industries rely on real-time internet access. It makes them especially susceptible to DDoS extortion, or threats to attack a company if it doesn't pay a ransom.

Although Portmapper still charts far lower than other DDoS methods, the company believes an advance warning is warranted.

“The bad guys are having a lot of preference on amplification attacks because they don't have to host any infrastructure, they just use others', and fairly easily,” Drew said. “There's a huge preference of using services like portmappers because it allows for an extreme amount of amplification … [making it] really appealing to a bad guy.”

Drew went on to say that DDoS attacks relying on User Datagram Protocol (UDP) – such as Portmapper – only seem to be increasing. As a result, he and Level 3 recommended evaluating all UDP services available on the public internet and questioning whether or not they need to be open.

Most times, he said, it's unnecessary. Making them available only to authorized people can help ensure a company's infrastructure isn't abused.

Noting that it takes “a village to protect the internet,” Drew said taking these UDP services off the public internet will help make everyone safer.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.