nanog mailing list archives
SNMP DDoS: the vulnerability you might not know you have
From: bottiger <bottiger10 () gmail com>
Date: Tue, 30 Jul 2013 21:25:44 -0700
Before you skim past this email because you already read the Prolexic report on it or some other article on the internet, there are 2 disturbing properties that I haven't found anywhere else online. 1) After sending abuse emails to many networks, we received many angry replies that they monitored their traffic for days without seeing anything (even as we were being attacked) and that their IPs were spoofed and would block us for spamming them. What we discovered was that their firewalls/routers/gateways coming from vendors like Cisco and SonicWall apparently didn't record SNMP traffic going in or out of themselves. We confirmed this multiple times by running a query to an IP that was claimed to be clean and watching the response come 10-60 seconds later because the device was being so heavily abused. 2) SNMP reflection offers the largest amplification factor by far, even surpassing DNS, Chargen, or NTP by a wide margin. I have tested a 68 byte query and received responses of up to 30,000 to 60,000 bytes. The trick is to use GetBulkRequest to start enumerating from the first OID and setting max repetitions to a large number. This is contrary to the other articles online which suggest a much smaller amplification factor with other queries. This protocol is also prevalent in many devices ranging from routers to printers. To solve this problem you should block SNMP traffic coming from outside your network and whitelist outside IPs that require it.
Current thread:
- SNMP DDoS: the vulnerability you might not know you have bottiger (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Blake Dunlap (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Thomas St-Pierre (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Blake Dunlap (Jul 31)
- RE: SNMP DDoS: the vulnerability you might not know you have James Braunegg (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have bottiger (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Warren Bailey (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Dobbins, Roland (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Blake Dunlap (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have bottiger (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Jimmy Hess (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Thomas St-Pierre (Jul 31)
- Re: SNMP DDoS: the vulnerability you might not know you have Blake Dunlap (Jul 31)