SNMP DDoS: the vulnerability you might not know you have

Wed Jul 31 15:15:12 UTC 2013

Hi,

On Wed, Jul 31, 2013 at 03:17:37PM +0000, Thomas St-Pierre wrote:
> The problem isn't the people on this list leaving the public snmp
> community on their devices, it's the vendors of home routers leaving it
> there in their devices. Normal end users don't know or even care what snmp
> is. (nor can we expect them too)
> 
> A simple scan of a large cable/dsl ISP's address space will likely net you
> tens of thousands of devices which respond to the "public" snmp community.

I can confirm this.
we did some enumeration (and discussed the said amplification attack) here:
http://conference.hitb.org/hitbsecconf2007dubai/materials/D1%20-%20Enno%20Rey%20-%20Digging%20into%20SNMP%202007%20-%20An%20Excercise%20on%20Breaking%20Networks.pdf

at the time once you scanned "typical broadband segments" of major European carriers, pretty much every address responding to a ping had SNMP "public" also. 

we gave the talk several times and demoed the amplification attack (with a slightly modified version of this tool: https://www.ernw.de/download/snmpattack.pl) against some of our systems, abusing $SOME_RANDOM_SEGMENT as amplifiers (we asked to stop [camera] recording in those cases where the talks were recorded) and it worked pretty much all the time (~20:1 ratio, initiated from the respective conferences' hotel wifi).

thanks

Enno

> 
> Thomas
> 
> 
> 
> On 13-07-31 10:57 AM, "Blake Dunlap" <ikiris at gmail.com> wrote:
> 
> >This looks like more a security issue with the devices, not border
> >security
> >issues.
> >
> >If you're seeing replies of that size, it means the devices themselves are
> >set up to allow public queries of their information (not secured by even
> >keys), which no one should be comfortable with. People should never be
> >leaving the public access snmp strings on devices even if they are
> >internal. Edge blocking just masks the real issue.
> >
> >
> >-Blake
> >
> >
> >On Tue, Jul 30, 2013 at 11:25 PM, bottiger <bottiger10 at gmail.com> wrote:
> >
> >> Before you skim past this email because you already read the Prolexic
> >> report on it or some other article on the internet, there are 2
> >> disturbing properties that I haven't found anywhere else online.
> >>
> >> 1) After sending abuse emails to many networks, we received many angry
> >> replies that they monitored their traffic for days without seeing
> >> anything (even as we were being attacked) and that their IPs were
> >> spoofed and would block us for spamming them.
> >>
> >> What we discovered was that their firewalls/routers/gateways coming
> >> from vendors like Cisco and SonicWall apparently didn't record SNMP
> >> traffic going in or out of themselves. We confirmed this multiple
> >> times by running a query to an IP that was claimed to be clean and
> >> watching the response come 10-60 seconds later because the device was
> >> being so heavily abused.
> >>
> >> 2) SNMP reflection offers the largest amplification factor by far,
> >> even surpassing DNS, Chargen, or NTP by a wide margin. I have tested a
> >> 68 byte query and received responses of up to 30,000 to 60,000 bytes.
> >> The trick is to use GetBulkRequest to start enumerating from the first
> >> OID and setting max repetitions to a large number. This is contrary to
> >> the other articles online which suggest a much smaller amplification
> >> factor with other queries.
> >>
> >> This protocol is also prevalent in many devices ranging from routers
> >> to printers.
> >>
> >> To solve this problem you should block SNMP traffic coming from
> >> outside your network and whitelist outside IPs that require it.
> >>
> >>
> 
> 

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

Troopers 2013 Videos online: http://www.youtube.com/user/TROOPERScon?feature=watch

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================