Rule Category

POLICY-OTHER --

Alert Message

POLICY-OTHER RPC Portmapper version 2 dump request attempt

Rule Explanation

This event is generated when an inbound RPC Portmapper version 2 dump request is made at least 10 times within 1 second Impact: Detection of a Denial of Service Attack via amplification if enough responses are made in a short enough period of time Details: RPC Portmapper, in response to a legitimate call, will respond with a valid response. The issue lies in that the response is significantly larger than initial inbound request. This is known as amplification, and if a significant number of responses are forwarded to server, a DoS condition may occur. Ease of Attack: Simple and publicly available

What To Look For

Known Usage

No public information

False Positives

Known false positives, with the described conditions

Detection only covers ten requests made in a short period of time and the requests in of themselves will not do anything and is completely legitimate. Many requests made to a single server is likely indicative of an attempted UDP amplification DoS attack.

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Additional Links

Rule Vulnerability

CVE Additional Information