Rise in SNMP DDoS Attacks

July 17, 2014 5:00 pm

Akamai’s Prolexic Security Engineering and Response Team has issued a threat advisory warning of a recent spike in DDoS attacks. This is no small problem, and it is no simple DDoS attack model. These attacks target the Simple Network Management Protocol (SNMP), used to manage network devices such as routers, switches, firewalls, and printers.

Through the use of GetBulk requests against SNMP v2, malicious actors can cause a large number of networked devices to send their stored data all at once to a target in an attempt to overwhelm the resources of the target.1 The host uses the IP address of the attacker’s target as a spoofed source from which requests will appear to originate. This will lead to a flood of SNMP GetResponse data sent from the reflectors to the target. The target will see this inflow of data as coming from the victim devices queried by the attacker. And as an added “benefit” to the attacker, this kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic.2

Lumeta can help identify any network vulnerabilities in this area and prevent devices from participating in these types of attacks. First, we find all the devices in the enterprise that are SNMP enabled – routers, switches, printers, etc. – and determine what version they are running, as this exploit uses the GetBulk function that was introduced in SNMP v2. We then determine if these devices are accessible via default community strings – low-hanging fruit for the attacker (and generally, a bad security practice).

Lumeta solutions will alert as soon as they find a device that meets the criteria – SNMP-enabled, running SNMP v2 and answering on a default, commonly-used or easily-guessed community string – providing this alert to a SIEM (for example) to take action. In addition, this data can be captured in detailed reports and executive dashboards, ensuring the right depth of data is available to the right audience at the right time.

If you need assistance please contact Lumeta Customer Support and we would be happy to walk you through the process or to help you create a custom view to make it easier to go back and measure your mitigation efforts.





[1] https://blogs.akamai.com/2014/05/plxsert-eyes-spike-in-snmp-reflection-ddos-attacks.html
[2] http://www.darkreading.com/attacks-breaches/snmp-ddos-attacks-spike/d/d-id/1269149