Hi, On Wed, Jul 31, 2013 at 03:17:37PM +0000, Thomas St-Pierre wrote:
The problem isn't the people on this list leaving the public snmp community on their devices, it's the vendors of home routers leaving it there in their devices. Normal end users don't know or even care what snmp is. (nor can we expect them too)
A simple scan of a large cable/dsl ISP's address space will likely net you tens of thousands of devices which respond to the "public" snmp community.
I can confirm this. we did some enumeration (and discussed the said amplification attack) here: http://conference.hitb.org/hitbsecconf2007dubai/materials/D1%20-%20Enno%20Re... at the time once you scanned "typical broadband segments" of major European carriers, pretty much every address responding to a ping had SNMP "public" also. we gave the talk several times and demoed the amplification attack (with a slightly modified version of this tool: https://www.ernw.de/download/snmpattack.pl) against some of our systems, abusing $SOME_RANDOM_SEGMENT as amplifiers (we asked to stop [camera] recording in those cases where the talks were recorded) and it worked pretty much all the time (~20:1 ratio, initiated from the respective conferences' hotel wifi). thanks Enno
Thomas
On 13-07-31 10:57 AM, "Blake Dunlap" <ikiris@gmail.com> wrote:
This looks like more a security issue with the devices, not border security issues.
If you're seeing replies of that size, it means the devices themselves are set up to allow public queries of their information (not secured by even keys), which no one should be comfortable with. People should never be leaving the public access snmp strings on devices even if they are internal. Edge blocking just masks the real issue.
-Blake
On Tue, Jul 30, 2013 at 11:25 PM, bottiger <bottiger10@gmail.com> wrote:
Before you skim past this email because you already read the Prolexic report on it or some other article on the internet, there are 2 disturbing properties that I haven't found anywhere else online.
1) After sending abuse emails to many networks, we received many angry replies that they monitored their traffic for days without seeing anything (even as we were being attacked) and that their IPs were spoofed and would block us for spamming them.
What we discovered was that their firewalls/routers/gateways coming from vendors like Cisco and SonicWall apparently didn't record SNMP traffic going in or out of themselves. We confirmed this multiple times by running a query to an IP that was claimed to be clean and watching the response come 10-60 seconds later because the device was being so heavily abused.
2) SNMP reflection offers the largest amplification factor by far, even surpassing DNS, Chargen, or NTP by a wide margin. I have tested a 68 byte query and received responses of up to 30,000 to 60,000 bytes. The trick is to use GetBulkRequest to start enumerating from the first OID and setting max repetitions to a large number. This is contrary to the other articles online which suggest a much smaller amplification factor with other queries.
This protocol is also prevalent in many devices ranging from routers to printers.
To solve this problem you should block SNMP traffic coming from outside your network and whitelist outside IPs that require it.
-- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey Troopers 2013 Videos online: http://www.youtube.com/user/TROOPERScon?feature=watch ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de =======================================================