Think you have a false positive on this rule?

Sid 1-45108


PROTOCOL-RPC XDR string allocation denial of service attempt


This event is generated when an attacker attempts to exploit a denial of service vulnerability in rpcbind.


Denial of service


CVSS base score 7.5

CVSS impact score 3.6

CVSS exploitability score 3.9

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Detailed information

Rule checks for a DoS attempt against rpcbind. CVE-2017-8779: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb.

Affected systems

  • libtirpc_project libtirpc 1.0.1
  • ntirpc_project ntirpc 1.4.3
  • rpcbind_project rpcbind 0.2.4

Ease of attack

Simple; Metasploit module publicly-available

False positives

Not known

False negatives

Not known

Corrective action


  • Cisco's Talos Intelligence Group

Additional References