SNMP DDoS: the vulnerability you might not know you have

• Previous message (by thread): SNMP DDoS: the vulnerability you might not know you have
• Next message (by thread): GTT/Inteliquent/nLayer
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Would it be possible to add SNMP to your (collective cable labs buddies) shapers and it would be taken care of prior to it leaving your network but after the cmts?


Sent from my Mobile Device.


-------- Original message --------
From: "Livingood, Jason" <Jason_Livingood at cable.comcast.com>
Date: 07/31/2013 10:07 AM (GMT-08:00)
To: bottiger <bottiger10 at gmail.com>,nanog at nanog.org
Subject: Re: SNMP DDoS: the vulnerability you might not know you have


A relevant paper was released by the BITAG, see http://www.bitag.org/report-snmp-ddos-attacks.php Section 7 includes recommendations.

See also this blog post I wrote one day short of a year ago that may be of interest: http://corporate.comcast.com/comcast-voices/taking-steps-to-prevent-unintentional-network-abuse

A remaining issue out there for the community is taking action to reduce spoofing. A related project is the Open Resolver Project at http://openresolverproject.org/.

- Jason



On 7/31/13 6:25 AM, "bottiger" <bottiger10 at gmail.com<mailto:bottiger10 at gmail.com>> wrote:

Before you skim past this email because you already read the Prolexic
report on it or some other article on the internet, there are 2
disturbing properties that I haven't found anywhere else online.

1) After sending abuse emails to many networks, we received many angry
replies that they monitored their traffic for days without seeing
anything (even as we were being attacked) and that their IPs were
spoofed and would block us for spamming them.

What we discovered was that their firewalls/routers/gateways coming
from vendors like Cisco and SonicWall apparently didn't record SNMP
traffic going in or out of themselves. We confirmed this multiple
times by running a query to an IP that was claimed to be clean and
watching the response come 10-60 seconds later because the device was
being so heavily abused.

2) SNMP reflection offers the largest amplification factor by far,
even surpassing DNS, Chargen, or NTP by a wide margin. I have tested a
68 byte query and received responses of up to 30,000 to 60,000 bytes.
The trick is to use GetBulkRequest to start enumerating from the first
OID and setting max repetitions to a large number. This is contrary to
the other articles online which suggest a much smaller amplification
factor with other queries.

This protocol is also prevalent in many devices ranging from routers
to printers.

To solve this problem you should block SNMP traffic coming from
outside your network and whitelist outside IPs that require it.

• Previous message (by thread): SNMP DDoS: the vulnerability you might not know you have
• Next message (by thread): GTT/Inteliquent/nLayer
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]