This site is brought to you by the Electrical and Computer Engineering department
UDP Amplification Portmapper (RPCBind)
Systems Vulnerable to Participating in UDP Amplification Attacks
A system allows its portmap service to be queried from the public Internet. Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC
services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with
portmap to determine where the RPC server is listening.Querying portmapper is a small request (~82 bytes via UDP) which generates a large response (7x to 28x amplification), which
makes it a good candidate for DDoS attacks--especially considering its prevalence among virtually all modern Unix systems.
Portmap must be restricted from the public internet with access controls or authentication.
Prevention Options for Linux, Windows, and Network Printers
Linux
1) Uninstall NFS server, NFS client, and Portmapper (RPCbind)
Open a command-line terminal and then type the following command:
$ sudo apt-get --purge remove nfs-kernel-server nfs-common rpcbind
2) Portmap Lockdown via TCP Wrapper
**Note**
Solaris system TCP Wrappers not are enabled by default. Open a command-line terminal and enter the following commands to enable rpcbind TCP Wrappers:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
(Continue following the instructions below)
For all other Linux systems:
Open a command-line terminal and then type the following command:
$ sudo nano /etc/hosts.allow
Add the following lines:
rpcbind: 146.6.101.0/255.255.255.0
rpcbind: 128.83.190.0/255.255.255.0
rpcbind: 129.116.100.192/255.255.255.192
rpcbind: 129.116.238.128/255.255.255.192
rpcbind: 146.6.28.64/255.255.255.192
rpcbind: 146.6.53.0/255.255.255.0
rpcbind: 146.6.177.0/255.255.255.192
rpcbind: 129.116.140.0/255.255.255.0
rpcbind: 129.116.234.0/255.255.255.0
rpcbind: 172.25.1.0/255.255.255.224
rpcbind: 206.76.64.0/255.255.192.0
rpcbind: 198.213.192.0/255.255.192.0
rpcbind: 172.29.0.0/255.255.0.0
rpcbind: 10.0.0.0/255.0.0.0
rpcbind: 10.157.31.128/255.255.255.128
rpcbind: 10.157.33.0/255.255.255.0
rpcbind: 10.157.30.64/255.255.255.192
rpcbind: 10.157.34.0/255.255.255.0
rpcbind: 10.157.26.0/255.255.255.128
rpcbind: 10.157.27.0/255.255.255.0
rpcbind: 10.157.31.0/255.255.255.128
rpcbind: 10.157.29.0/255.255.255.128
rpcbind: 10.157.29.128/255.255.255.128
rpcbind: 10.157.30.0/255.255.255.192
Save the changes made to the file.
Type the following command:
$ sudo nano /etc/hosts.deny
Add the following lines:
rpcbind: ALL
Save the changes made to the file.
Windows
Inbound Rules to protect PortMapper TCP & UDP ports for Unix-based Software
How to check Windows Firewall settings for existing Unix-based software rules
1. Access the Windows Firewall with Advanced Security by going to Control Panel -> System and Security -> Windows Firewall and then click on Advanced settings.
2. In the navigation pane, click Inbound Rules.
3. Search for the following rules:
Portmap for Unix-based Software (TCP-in)
Portmap for Unix-based Software (UDP-in)
4. If the rules exist, move on to step 5. If rules are not present, create one PortMapper TCP port based rule and a second PortMapper UDP based rule by following
the instructions under the "How to create rules to allow inbound network traffic for Portmapper TCP and UDP ports" section.
5. Highlight and double click on the Portmap for Unix-based Software (TCP-in) rule.
6. Select the Scope page where you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page.
Under the Remote IP address section, select These IP addresses option and click the Add button to enter the subnets listed below:
146.6.101.0/24
128.83.190.0/24
129.116.100.192/26
129.116.238.128/26
146.6.28.64/26
146.6.53.0/24
146.6.177.0/26
129.116.140.0/24
129.116.234.0/24
172.25.1.0/27
206.76.64.0/18
198.213.192.0/18
172.29.0.0/16
10.0.0.0/8
Once the subnets are entered, click Apply and then OK.
7. Highlight and double click on the Portmap for Unix-based Software (UDP-in) rule.
8. Follow the instructions outlined in step 6.
9. Close Windows Firewall with Advanced Security page.
How to create rules to allow inbound network traffic for Portmapper TCP and UDP ports
On Windows Firewall with Advanced Security page, click Inbound Rules on the left window pane, click Action and then click New rule located on the top drop down menu.
On the Rule Type page of the New Inbound Rule Wizard, click Port, and then click Next.
On the Protocols and Ports page, click TCP and and under the , select Specific local ports option and enter 111 in the empty field box. Click Next.
In the Action page dialog box, select Allow the connections option and click Next.
On the Profiles page, select the Domain, Private, and Public options. Click Next.
Within the Name page, click on the Name field box and enter the name Portmap for Unix-based Software (TCP-in). Click Finish.
Highlight the Portmap for Unix-based Software (TCP-in) rule and double click on it. The Portmap for Unix-based Software (TCP-in) rule property dialogue box should appear.
Select the Scope tab where you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page.
Under the Remote IP address section, select These IP addresses option and click the Add button to enter the subnets listed below:
146.6.101.0/24
128.83.190.0/24
129.116.100.192/26
129.116.238.128/26
146.6.28.64/26
146.6.53.0/24
146.6.177.0/26
129.116.140.0/24
129.116.234.0/24
172.25.1.0/27
206.76.64.0/18
198.213.192.0/18
172.29.0.0/16
10.0.0.0/8
Once the subnets are entered, click Apply and then OK.Create a second rule. Click Action and then click New rule located on the top drop down menu.
On the Protocols and Ports page, select UDP and and under the Does this rule apply to all local ports or specific local ports? heading, select Specific local ports option and enter 111 in the empty field box. Click Next.
In the Action page dialog box, select Allow the connections option and click Next.
- On the Profiles page, select the Domain, Private, and Public options. Click Next.
- Within the Name page, click on the Name field box and enter the name Portmap for Unix-based Software (UDP-in). Click Finish.
- Highlight the Portmap for Unix-based Software (UDP-in) rule and double click on it. The Portmap for Unix-based Software (UDP-in) rule property dialogue box should appear.
- Follow the instructions outlined in step 8.
- Close Windows Firewall with Advanced Security page.
Network Printers
ECE-IT will move network printers to campus-only (private) printer networks.
Multifunction Device Hardening Checklist
https://security.utexas.edu/multifunction-hardening-checklist
"Consider placing sensitive MFDs on their own VLAN, which may make them easier to identify and secure. It is also strongly advised to give MFDs campus-routed RFC 1918 addresses
so that they are not accessible from the Internet. It is rare that an MFD needs to be accessed from off-campus, and a VPN can be used in those instances.”
Welcome to the University Wiki Service! Please use your IID (yourEID@eid.utexas.edu) when prompted for your email address during login or click here to enter your EID. If you are experiencing any issues loading content on pages, please try these steps to clear your browser cache.