Guide to Portmapper Amplification Issues

What is Portmapper?
The port mapper (rpc.portmap or just portmap, or rpcbind) is an Open Network Computing Remote Procedure Call (ONC RPC) service that runs on network nodes providing other ONC RPC services.

A host may connect to a server that supports the Portmapper Protocol on either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number 111.

You can read more details about this protocol:

Amplification Attach Description:
The UDP-based Portmapper protocol can be abused to amplify denial-of-service attack traffic. Servers running with Portmapper are susceptible to a distributed reflected denial-of-service (DRDoS) attack.

The attacker generates a large number of UDP packets with a spoofed source IP address to make it appear as though the packets are coming from the intended target. These UDP packets are sent to Portmapper servers (port 111).

How to Verify if your Server/Device is Vulnerable
These are some output examples if the Portmapper UDP port is exploitable (xx.xx.xx.xx is the server IP)
# nmap -Pn -sU -p U:111 –script=nfs-ls xx.xx.xx.xx
Nmap scan report for xx.xx.xx.xx
111/udp open rpcbind

or, alternatively:
# rpcinfo -T udp -p xx.xx.xx.xx
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 49500 status
100024 1 tcp 47792 status

Different options are available to protect your server or device:

1) Disable the Portmapper service if you are not using it. This is the easiest and the most effective solution. This might however impact the NFS service (unless you are using NFSv4 which has no interaction with portmapper.)

2) Configure your firewall to restrict incoming requests on portmapper service to a specific list of hosts/networks, or block them completely. Please make sure that the firewall rule will be saved and reloaded after a server reboot.