Systems Vulnerable to Participating in UDP Amplification Attacks
A system allows its portmap service to be queried from the public Internet. Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC
services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with
portmap to determine where the RPC server is listening.Querying portmapper is a small request (~82 bytes via UDP) which generates a large response (7x to 28x amplification), which
makes it a good candidate for DDoS attacks--especially considering its prevalence among virtually all modern Unix systems.
Portmap must be restricted from the public internet with access controls or authentication.
Prevention Options for Linux, Windows, and Network Printers
Linux
1) Uninstall NFS server, NFS client, and Portmapper (RPCbind)
Open a command-line terminal and then type the following command:
$ sudo apt-get --purge remove nfs-kernel-server nfs-common rpcbind
2) Portmap Lockdown via TCP Wrapper
Open a command-line terminal and then type the following command:
$ sudo nano /etc/hosts.allow
Add the following lines:
rpcbind: 146.6.101.0/255.255.255.0
rpcbind: 128.83.190.0/255.255.255.0
rpcbind: 129.116.100.192/255.255.255.192
rpcbind: 129.116.238.128/255.255.255.192
rpcbind: 146.6.28.64/255.255.255.192
rpcbind: 146.6.53.0/255.255.255.0
rpcbind: 146.6.177.0/255.255.255.192
rpcbind: 129.116.140.0/255.255.255.0
rpcbind: 129.116.234.0/255.255.255.0
rpcbind: 172.25.1.0/255.255.255.224
rpcbind: 206.76.64.0/255.255.192.0
rpcbind: 198.213.192.0/255.255.192.0
rpcbind: 172.29.0.0/255.255.0.0
rpcbind: 10.0.0.0/255.0.0.0
Save the changes made to the file.
Type the following command:
$ sudo nano /etc/hosts.deny
Add the following lines:
rpcbind: ALL
Save the changes made to the file.
Windows
Create Inbound Rules to protect RPC Endpoint Mapper service and RPC-enabled network services
To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service
Access the Windows Firewall with Advanced Security by going to Control Panel -> System and Security -> Windows Firewall and then click on Advanced settings.
In the navigation pane, click Inbound Rules.
Click Action, and then click New rule.
On the Rule Type page of the New Inbound Rule Wizard, click Custom, and then click Next.
On the Program page, click This Program Path, and then type %systemroot%\system32\svchost.exe.
Click Customize.
In the Customize Service Settings dialog box, click Apply to this service, select Remote Procedure Call (RPC) with a short name of RpcSs, click OK, and then click Next.
On the warning about Windows service-hardening rules, click Yes.
On the Protocol and Ports dialog box, for Protocol type, select TCP.
For Local port, select RPC Endpoint Mapper, and then click Next.
On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. On the Which remote IP addresses does this rule apply to? box, select These IP addresses option and click the
Add button to enter the subnets below:
146.6.101.0/24
128.83.190.0/24
129.116.100.192/26
129.116.238.128/26
146.6.28.64/26
146.6.53.0/24
146.6.177.0/26
129.116.140.0/24
129.116.234.0/24
172.25.1.0/27
206.76.64.0/18
198.213.192.0/18
172.29.0.0/16
10.0.0.0/8
Once the subnets are entered, click Next.On the Action page, select Allow the connection, and then click Next.
On the Profile page, select Domain, Private, Public, and then click Next.
On the Name page, type RPC EndPoint Mapper in the Name box and then click Finish.
To create a rule to allow inbound network traffic to RPC-enabled network services
On Windows Firewall with Advanced Security page, click Inbound Rules on the left window pane, click Action and then click New rule located on the top drop down menu.
On the Rule Type page of the New Inbound Rule Wizard, click Custom, and then click Next.
On the Program page, click This Program Path, and then type the path to the executable file that hosts the network service. Click Customize.
In the Customize Service Settings dialog box, click Apply to this service, and then select the service that you want to allow. If the service does not appear in the list, then click Apply to service with this service short name, and then type the short name of the service in the text box.
Click OK, and then click Next.
On the Protocol and Ports dialog box, for Protocol type, select TCP.
For Local port, select RPC Dynamic Ports, and then click Next.
On the Scope page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. On the Which remote IP addresses does this rule apply to? box, select These IP addresses option and click the
Add button to enter the subnets below:
146.6.101.0/24
128.83.190.0/24
129.116.100.192/26
129.116.238.128/26
146.6.28.64/26
146.6.53.0/24
146.6.177.0/26
129.116.140.0/24
129.116.234.0/24
172.25.1.0/27
206.76.64.0/18
198.213.192.0/18
172.29.0.0/16
10.0.0.0/8
Once the subnets are entered, click Next.On the Action page, select Allow the connection, and then click Next.
On the Profile page, select the network location types to which this rule applies, and then click Next.
On the Name page, type RPC followed by the name of the program that is being protected (e.g., RPC Linux NFS) in the Name box and then click Finish.
Network Printers
ECE-IT will move network printers to campus-only (private) printer networks.
Multifunction Device Hardening Checklist
https://security.utexas.edu/multifunction-hardening-checklist
"Consider placing sensitive MFDs on their own VLAN, which may make them easier to identify and secure. It is also strongly advised to give MFDs campus-routed RFC 1918 addresses
so that they are not accessible from the Internet. It is rare that an MFD needs to be accessed from off-campus, and a VPN can be used in those instances.”