Guide to Public SNMP Amplification Issues

Expertise level: Medium

What is Simple Network Management Protocol?

Simple Network Management Protocol (SNMP) is one of the popular protocols used for network management. It is used to manage network devices. It is used to collect the  information or to configure any network snmp-based device, such as servers, switches, routers, hardware firewalls etc.

Read more details about this protocol: http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

Description:

SNMP service can be used to reflect and amplify a stream of UDP packets towards a DDoS target. This can occur when the default public community is used and the SNMP traffic is not filtered upon installation.

Running a public SNMP service also allows hackers to collect information about your server to perform information gathering and prepare an attack.

Verifying if your server/device is vulnerable

To test if your server is exploitable, run the following command on an external machine:

snmpget -c public -v 2c [Server-IP] 1.3.6.1.2.1.1.1.0 


If the SNMP server sends a reply like "iso.3.6.1.2.1.1.1.0 = STRING: "[information about your system]"", your server is vulnerable to these attacks. Otherwise, it may show "Timeout: No Response from [Server-IP]"

Resolution:

Different options are available to protect your server or device:

1) Disable SNMP service if you are not using it. Is the easiest and the most effective solution.

2) Configure a private community and use SNMP authentication instead of the default public community.

3) Configure the SNMP service to limit SNMP requests to a specific list of hosts.

4) Configure your firewall to perform egress filtering which may help mitigate attacks that use source IP spoofing. Refer to your product's documentation for instructions on how to perform egress filtering.

External References

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk