Expertise level: Medium
What is Simple Network Management Protocol?
Simple Network Management Protocol (SNMP) is one of the popular protocols used for network management. It is used to manage network devices. It is used to collect the information or to configure any network snmp-based device, such as servers, switches, routers, hardware firewalls etc.
Read more details about this protocol: http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
SNMP service can be used to reflect and amplify a stream of UDP packets towards a DDoS target. This can occur when the default public community is used and the SNMP traffic is not filtered upon installation.
Running a public SNMP service also allows hackers to collect information about your server to perform information gathering and prepare an attack.
Verifying if your server/device is vulnerable
To test if your server is exploitable, run the following command on an external machine:
# nmap -Pn -n -sU -p 161 --script "snmp-info, snmp-sysdescr" [Server-IP]
Output examples if the SNMP UDP port is exploitable:
PORT STATE SERVICE
161/udp open snmp
| enterprise: net-snmp
| engineIDFormat: xxxxx
| engineIDData: xxxxxxxxxxxx
| snmpEngineBoots: x
|_ snmpEngineTime: xxxdxxhxxmxxs
snmpget -c public -v 2c [Server-IP] 220.127.116.11.18.104.22.168.0
If the SNMP server sends a reply like "iso.22.214.171.124.126.96.36.199 = STRING: "[information about your system]"", your server is vulnerable to these attacks. Otherwise, it may show "Timeout: No Response from [Server-IP]"
Different options are available to protect your server or device:
1) Disable SNMP service if you are not using it. Is the easiest and the most effective solution.
2) Configure a private community and use SNMP authentication instead of the default public community.
3) Configure the SNMP service to limit SNMP requests to a specific list of hosts.
4) Configure your firewall to perform egress filtering which may help mitigate attacks that use source IP spoofing. Refer to your product's documentation for instructions on how to perform egress filtering.