Federal Office for Information Security (BSI)

Openly accessible Portmapper services

The Portmapper (portmap, rpcbind) is required for mapping RPC requests (remote procedure calls) to a network service. It is needed e. g. for mounting network shares using the Network File System (NFS).

Problem

Openly accessible Portmapper services can be abused for DDoS reflection attacks against third parties.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if a Portmapper service is openly accessible from the Internet, the tool 'rpcinfo' can be used:

$ rpcinfo -T udp -p 192.168.45.67

An openly accessible Portmapper service will return a response like this:

program vers proto   port  service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 48035 status
100024 1 tcp 52605 status

Otherwise, rpcinfo will run into a timeout:

rpcinfo: can't contact portmapper: RPC: Remote system error - Connection timed out

Solution

If the Portmapper service (portmap, rpcbind) is not required, disable or deinstall it. Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 111/tcp and 111/udp on the firewall.

On Debian/Ubuntu based Linux systems, the portmapper service can be removed using the following command:

# apt-get remove rpcbind

Further information

Note on the use of cookies

Cookies facilitate the provision of our services. By using our services, you agree that we use cookies. For more information on privacy, please visit the following link Data protection statement

OK