HighCheck or Attack Name: pmapsunset
The RPC Portmapper implements the UNSET procedure that allows RPC programs to unregister themselves with the portmapper. This destroys the mapping between the programs RPC number and port number inside the portmapper and is usually called as the service shuts down. Many implementations accept spoofed UNSETs that appear to originate from the local machine. In many cases, the UNSET is executed with superuser privileges.
The Remote Procedure Call (RPC) is an inherently unsafe protocol and should be blocked at all border gateways and firewalls to prevent attackers from abroad exploiting these weaknesses. Also, packets entering a network that appear to come from hosts inside that network or invalid addresses like 127.0.0.1 should be blocked to prevent spoofing attacks.
PGCI Inc., rpcbind: deceive, inveigle and obfuscate, http://www.pgci.ca/rpc.html
BUGTRAQ Mailing List, rpcbind: deceive, enveigle and obfuscate, http://www.netspace.org/cgi-bin/wa?A2=ind9901E&L=bugtraq&P=R125
