SNMP DDoS: the vulnerability you might not know you have

Jimmy Hess mysidia at
Wed Jul 31 23:42:07 UTC 2013

On 7/31/13, Blake Dunlap <ikiris at> wrote:
> I bet blocking all SYN packets and non related flow UDP packets to
> customers would be even more effective. Why don't we do that and be done
> with it instead of playing whack a mole every 3 months when someone finds
> some new service that was poorly designed so that it can be used to send a
> flood?

Because it breaks applications that people are paying to be able to use.

The way I see it;  more and more samples keep getting found about
protocols abused because networks have not implemented BCP38.

The latest SNMP trend is just another uptick to the sample size,  and
proof that  Closing off   perfectly OK  recursive DNS services  is
totally inadequate and not a useful long-term fix  to the problem of
DDoS or IP/UDP reflection attacks.

Asking folks to improve the security of access to their SNMP instances
is just chasing the latest exploit implementation,  with no attention
to the vulnerability or the root cause....


More information about the NANOG mailing list