Security watchers have warned about a new class of DDoS amplification attack threat which only exists because too many users are failing to follow basic safeguards:
Improperly configured services such as DNS or Network Time Protocol (NTP) have been exploited to launch a string of DDoS attacks over the last couple of years, the most high-profile of which battered Spamhaus and buffeted internet exchanges back in March 2013. Over recent weeks, another service – Portmap – has become a vector of DDos attacks, US-based carrier Level 3 warned.
Ofer Gayer – Imperva Security Researcher, gives insights into these attacks: “These Portmap attacks are no different than other amplification denial of service attacks, all of which abuse legitimate services to magnify the impact of DDoS floods. From mitigation stand-point, however, the end result is always the same large UDP flood—something that mitigation providers should be equipped to deal with by default. The fact that these specific attacks originate from a rarely-used (111) port makes them even easier to identify. As always, we advise all sys-admins to carefully manage outside access of their public facing services, either by filtering their users or by disabling them entirely, if not in use. “