[Vulnerability Warning] RPCBind Service Can Be Exploited for UDP Reflective DDoS Attacks

2018-09-17 16:55:28
Dear user

Hello, recently JD Cloud Security Team has detected cases of UDP reflection DDoS attacks through RPCBind service on the Virtual Machine from hackers, resulting in explosion of user traffic

In order to secure your business from being affected by vulnerabilities, JD Cloud security team recommends that you should conduct the security self-examination in a timely manner. If your business is in the affecting scope, please update and fix the problem in time to avoid attacks from an external attacker.

Vulnerability Details

RPCBind is a general RPC port mapping feature, associated with Port 111 by default, by which the RPC service number can be mapped to the network port number. Malicious attackers can scan 111UDP port in batches, and perform DDoS attacks with UDP reflection amplification.

Risk Grade

High Risk

Vulnerability Damage

If there is such vulnerability, the user’s machine may suffer reflection amplification attacks from remote malicious attackers, resulting in your bandwidth being maliciously utilized and attacking other machines, and possibly leading to unnecessary legal risks and economic losses.

Repair Suggestion

It is recommended to conduct data backup and verification evaluation in advance before the change to avoid unavailability of business by the change

1. Directly disable the RPCBind service: if RPCBind is not used in the business, it can be disabled directly.

Ubuntu:

(1) Open the terminal and run the following commands, and disable the rpcbind service:

sudo systemctl stop rpcbind && systemctl disable rpcbind

(2) Check if the rpcbind service is disabled:

netstat -anp | grep rpcbind

CentOS 7:

(1) Open the terminal and run the following commands:

systemctl stop rpcbind && systemctl disable rpcbind

(2) Check if the rpcbindservice is disabled:

netstat -anp | grep rpcbind

CentOS 6:

(1) Open the terminal and run the following commands:

/etc/init.d/rpcbind stop

(2) Check if the rpcbindservice is disabled:

netstat -anp | grep rpcbind

Reference Information

(1)https://www.us-cert.gov/ncas/alerts/TA14-017A

(2)http://netsecurity.51cto.com/art/201508/489005.htm

(3)http://blog.nsfocus.net/portmapper-ddos-attack


JD Cloud team

2018-09-17 16:55:28