POLICY-OTHER RPC Portmapper version 3 dump request attempt
This event is generated when an inbound RPC Portmapper version 3 dump request is made at least 10 times within 1 second
Detection of a Denial of Service Attack via amplification if enough responses are made in a short enough period of time
RPC Portmapper, in response to a legitimate call, will respond with a valid response. The issue lies in that the response is significantly larger than initial inbound request. This is known as amplification, and if a significant number of responses are forwarded to server, a DoS condition may occur.
Ease of Attack:
Simple and publicly available
What To Look For
No public information
Known false positives, with the described conditions
Detection only covers ten requests made in a short period of time and the requests in of themselves will not do anything and is completely legitimate. Many requests made to a single server is likely indicative of an attempted UDP amplification DoS attack.
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information