Example Analysis of Port Mapper reflection DDoS attack early warning 02/27 Update SLTechnology News&Howtos

Example Analysis of Port Mapper reflection DDoS attack early warning

2025-02-27 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Shulou(Shulou.com)06/01 Report--

This article analyzes "example Analysis of Port Mapper reflection DDoS attack early warning". The content is detailed and easy to understand. Friends who are interested in the "example Analysis of Port Mapper reflection DDoS attack early warning" can follow the editor's train of thought to read it in depth. I hope it will be helpful to everyone after reading. Let's follow the editor to learn more about the example analysis of Port Mapper reflection DDoS attack early warning.

0x00 event background

2018-09-14 360CERT found a large amount of abnormal traffic after a series of traffic monitoring.

Through the analysis of 360CERT, it is found that the port is the port used by port mapper (rpc.portmap, just portmap, rpcbind) under linux.

The main function of port mapper is to map RPC routines to port numbers open on Internet

An attacker can use Portmapper or RPC Portmapper to send a large number of responses from the victim's Portmapper server, saturating the victim's bandwidth and making the website and Web-based services inaccessible.

0x01 scope of influence

Monitoring data from 360shows that traffic on port 111 peaked at 8:45 this morning. A total of 1859325 packets were sent

The top 10 ip addresses for port 111traffic are as follows

0x02 repair recommendation

Rpcbind is the default installed dependency package for nfs-client under debain. If you don't need nfs-related services, they are unnecessary. Rpcbind has previously been shown to have potential security risks.

Depending on the distribution, you can use the following command to shut down the rpcbind service

Stop the service:#systemctl stop rpcbind.servicedisable the service:#systemctl disable rpcbind.service

Or use netstat-anp | grep 111to view the corresponding process pid and use kill-9 PID to clean up the process.

This is the end of the example analysis of Port Mapper reflection DDoS attack early warning. I hope the above content can improve everyone. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.