SNMP Reflection DDoS Attacks Highlights from a Prolexic DDoS Threat Advisory
SNMP Attacks on the Rise
• Since April 11, 2014, Prolexic has observed a marked resurgence in the use of Simple Network Management Protocol (SNMP) reflection attacks • SNMP is a commonly-used protocol in many devices for the home and office • SNMP devices like printers, routers, servers, modems, and desktops can provide DDoS reflection and amplification for attackers
©2014 AKAMAI | FASTER FORWARDTM
Why SNMP?
• Although the latest version is more secure, devices more than about three years old use SNMP v2, which is openly accessible to public request by default • Protocol-based attacks rise and fall in popularity; right now new SNMP reflection tools in the underground are driving a surge in popularity of this attack
©2014 AKAMAI | FASTER FORWARDTM
SNMP Attack Statistics
©2014 AKAMAI | FASTER FORWARDTM
SNMP Attacks in 2014
• 14 DDoS campaigns using the protocol have been observed since April 11, 2014 • As devices are discovered to be participating in attacks, their IP addresses are blacklisted by the Internet community, leading to smaller attack sizes • However, malicious actors will continue to identify additional devices vulnerable to SNMP reflection • The remaining vulnerable servers are continuing to make this attack dangerous
©2014 AKAMAI | FASTER FORWARDTM
How SNMP Attacks Work
• GetBulk: Dumps many values stored on the device – • IP addresses on a router, what kind of toner is in the printer, or similar data • The tool sends GetBulk requests to vulnerable SNMP-enabled devices, pretending to be the target • The device then sends the GetBulk information to the target
©2014 AKAMAI | FASTER FORWARDTM
How SNMP Attacks Work (continued)
• The resulting response can be greatly amplified •In one real attack, a single 37-byte request packet generated a 64,000-byte response split across 44 packets •This is an amplification factor of more than 1,700 times
• Any device configured to listen to SNMP v2 requests could become a reflector in such an attack
©2014 AKAMAI | FASTER FORWARDTM
Don’t Be Part of an Attack: Configure Your SNMP Devices Properly
• It is essential that network administrators help take down vulnerable devices • Scan for devices on your network that have the default public community string and limit public access • Devices such as printers shouldn’t be open to the Internet • When possible, use SNMP v3
©2014 AKAMAI | FASTER FORWARDTM
Threat Advisory: NTP – AMP DDoS toolkit
• Download the threat advisory, Threat Advisory: SNMP Reflection DDoS Attacks • This DDoS threat advisory includes: •How to identify an attack from the SNMP Refelector DDoS tool •Analysis of the source code •Payload analysis •IDS Snort rule and attack signatures •Remediation instructions for owners of devices that support the SNMP v2 protocol
©2014 AKAMAI | FASTER FORWARDTM
About Prolexic (now part of Akamai)
• We have successfully stopped DDoS attacks for more than a decade • Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers
©2014 AKAMAI | FASTER FORWARDTM