DoS/DDoS attacks exploiting Open SNMP Vulnerability

Software Affected:

• SNMPv1
• SNMPv2

Abstract:

The Simple Network Management Protocol (SNMP) facilitates the exchange of management information between networked devices operating in an Internet Protocol (IP) network. SNMP agents use a UDP port 161, while the manager uses a UDP port 162. A remote attacker may abuse vulnerable SNMP-enabled network devices to gather information about an organization’s network infrastructure and hosts with SNMP publicly accessible, may be used in amplification attacks by criminals who wish to perform denial of service attack.

Technical Description:

Open SNMP vulnerability exist mainly due to the fact that it is enabled by default with community strings: “private” for write/ management access and “Public” for read access in devices that don’t even require it and the administrators are not aware of its existence. Thus, hosts with SNMP publicly accessible, that are responding to the community “public”, may be used in amplification attacks by criminals who wish to perform DoS/DDoS attacks. SNMP agents running on older versions of SNMP on port 161/ UDP may lead to UDP-Based Amplification Attacks. An unprotected SNMP service can also leak sensitive technical information from the vulnerable device.

Vulnerability Assessment:

In order to validate the presence of SNMP on a target device, it is adviced to execute the command mentioned below from external network:

Command:

• sudo nmap -sUV -p 161 <server ip>
• nmap -sU -p 161 --script=snmp-interfaces <target>

Countermeasures and Best practices for prevention:

• Disable SNMP in all the devices that don’t require SNMP services for your network.
• Upgrade to SNMPv3 which employs better encryption.
• Apply ingress filtering: configure the firewall to block UDP ports 161 and 162 and any other custom-configured port for SNMP traffic to the outside world. If you have some public servers: allow inbound traffic from the internet to only those servers. If all of above is not possible, at least monitor activity on all ports utilizing SNMP.
• Apply egress filtering to block servers from initiating outbound traffic to the internet since there is hardly a need for it.
• To reduce risk from internal attack by applying a filter to limit SNMP request from only authorized devices.
• Change Default Community String: Community string acts as a password for SNMP communication thus it is recommended to set long strong and complex community string that can be used to communicate with your server.
• Some devices will allow you to restrict SNMP access. If available, it is recommended that you configure which hosts can send SNMP write command, and possibly which hosts can get information.
• Limit SNMP access to only those device that requires SNMP for monitoring.
• Create a separate management network for SNMP traffic if it is not possible to block or disable it, it would make the hacking process difficult.

Solution:

Best practices are available at:

• https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html

References:

• https://www.us-cert.gov/ncas/alerts/TA17-156A
• https://www.us-cert.gov/ncas/alerts/TA14-017A
• https://www.cert.org/historical/advisories/CA-2002-03.cfm
• https://www.techrepublic.com/article/lock-it-down-dont-allow-snmp-to-compromise-network-security/
• https://isc.sans.edu/forums/diary/SNMP+The+next+big+thing+in+DDoS+Attacks/18089
• https://bechtsoudis.com/archive/2011/08/28/snmp-reflected-denial-of-service/index.html
• https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html