In hopes of warding off significant attacks, Level 3 Communications is trying to spread the word among ISPs of a major new distributed denial of service (DDoS) threat. The threat was identified after Level 3's security monitoring detected unusual activity that appeared to be bad actors testing out and then using a new DDoS threat vector, Portmapper.
Portmapper services run on a standard server and are generally used only in corporate networks to identify available services that can be connected from the network. According to Level 3 Communications Inc. (NYSE: LVLT)'s intelligence, however, there are 1.1 million of these servers on the public Internet. Bad actors are currently sweeping the Internet looking for these servers and using them to launch amplified DDoS attacks, in a method similar to that used a couple of years ago to launch the largest DDoS attacks ever, using network time protocol servers.
In the case of the NTP attacks, which created DDoS storms of 400 gigabits to 500 gigabits in volume, the bad guys discovered a way to forge IP addresses in launching queries of the NTP servers, says Dale Drew, chief security officer at Level 3.
The queries, which were launched from the forged IP address of the intended victim, would ask the NTP server to provide a detailed list of information, and the bad guys would launch thousands of these forged queries to NTP servers within seconds, creating an amplified DDoS attack.
"With very low effort on the part of the bad guy, they would send this huge amount of data to a victim, causing the Internet's largest DDoS attack that we've seen to date," Drew says. He spells out the technical details today in a blog you can find here.
The Portmapper attacks that Level 3 has detected appear to mimic the NTP attacks in this way: The bad guys sweep the Internet looking for Portmapper servers and then initiate a forged query asking them to identify all the available services, so a high volume of responses are sent to the victim.
here on Light Reading.
Earlier this month, Level 3 saw the first of these attacks, aimed at web hosting and gaming sites. In response, the company is proactively protecting its Internet backbone and its customers, blocking this type of attack and contacting anyone operating a Portmapper server that is connected to the Internet via Level 3. In addition, more sophisticated algorithms have been added to its managed security and DDoS prevention products, Drew says.
"We also wanted to get this out to the industry to make them aware so they can block it as quickly as they can," Drew says. Level 3 is also contacting all the folks operating Portmapper servers directly connected to its Internet backbone to alert them to this danger and sending out a list to other ISPs of customers on those backbones with those kinds of servers.
"Our objective here is to get ahead of this, to protect our network and our customers, before it becomes a media event," he concludes.
— Carol Wilson, Editor-at-Large, Light Reading