Has anyone seen any discernable operational impact from CA-2002-03? Things like: increase in SNMP probes, increase in bgp churn due to outside networks being affected, customer complaints, increase in number of customer flaps, anyone willing to admit to being directly impacted, anyone willing to admit surviving an attempt, does anyone have any evidence of an actual exploit, any evidence that people wearing the wrong color hats are using this or trying to? Frank Scalzo
I've been watching the acls on various routers on our (my employer) network as well as on my home network. I've only seen one host attempt to send any sort of snmp "goodies" to my network: Feb 14 05:57:55.239 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.252.53(161), 1 packet Feb 14 06:03:51.550 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.253.53(161), 1 packet Feb 14 06:03:51.550 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.254.53(161), 1 packet Feb 14 06:03:51.550 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.255.53(161), 1 packet Obviously I don't speak for the entire internet but i'm not seeing anything that interesting to take note of (imho) currently. - Jared On Thu, Feb 14, 2002 at 02:00:44AM -0500, Frank B. Scalzo wrote:
Has anyone seen any discernable operational impact from CA-2002-03? Things like: increase in SNMP probes, increase in bgp churn due to outside networks being affected, customer complaints, increase in number of customer flaps, anyone willing to admit to being directly impacted, anyone willing to admit surviving an attempt, does anyone have any evidence of an actual exploit, any evidence that people wearing the wrong color hats are using this or trying to?
Frank Scalzo
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
I've seen only a few probes here; interestingly, from exactly the same host you mention. On Thu, 14 Feb 2002, Jared Mauch wrote: : : I've been watching the acls on various routers on our (my employer) :network as well as on my home network. : : I've only seen one host attempt to send any sort :of snmp "goodies" to my network: : :Feb 14 05:57:55.239 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.252.53(161), 1 packet :Feb 14 06:03:51.550 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.253.53(161), 1 packet :Feb 14 06:03:51.550 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.254.53(161), 1 packet :Feb 14 06:03:51.550 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.255.53(161), 1 packet : : Obviously I don't speak for the entire internet but :i'm not seeing anything that interesting to take note of (imho) :currently. : : - Jared : :On Thu, Feb 14, 2002 at 02:00:44AM -0500, Frank B. Scalzo wrote: :> :> :> Has anyone seen any discernable operational impact from CA-2002-03? Things :> like: increase in SNMP probes, increase in bgp churn due to outside networks :> being affected, customer complaints, increase in number of customer flaps, :> anyone willing to admit to being directly impacted, anyone willing to admit :> surviving an attempt, does anyone have any evidence of an actual exploit, :> any evidence that people wearing the wrong color hats are using this or :> trying to? :> :> Frank Scalzo : :
Has anyone seen any discernable operational impact from CA-2002-03? Things <snip>
I've only seen a couple hits here, however they were destined to network addresses... Feb 13 15:10:11 EST: %SEC-6-IPACCESSLOGP: list 112 denied udp 65.163.197.2(12154) -> 63.x.y.0(161), 1 packet Feb 13 15:57:02 EST: %SEC-6-IPACCESSLOGP: list 112 denied udp 65.163.197.2(11290) -> 65.x.y.0(161), 1 packet --Chad
So far no one has told me they've been hit. And to follow up, because self-reporting isn't that accurate, I have not seen any operational impact due to someone exploiting, or attempting to exploit SNMP. So far most of the problems I've tracked down in the last 72 hours have been due to unrelated problems or network operators rushing to patch or block SNMP. According to notes sent/forwarded to me, several network operators have blocked SNMP ports in their hosting facilities either permanently or for a few days while folks figure out what to do. I have not seen any gaps in most MRTG data (which uses SNMP) graphs displayed on providers web sites. The Ripe, Telstra, Keynote, Matrix, etc global network data graphs don't appear out of the ordinary. On Thu, 14 Feb 2002, Frank B. Scalzo wrote:
Has anyone seen any discernable operational impact from CA-2002-03? Things like: increase in SNMP probes, increase in bgp churn due to outside networks being affected, customer complaints, increase in number of customer flaps, anyone willing to admit to being directly impacted, anyone willing to admit surviving an attempt, does anyone have any evidence of an actual exploit, any evidence that people wearing the wrong color hats are using this or trying to?
On Thu, Feb 14, 2002 at 02:00:44AM -0500, Frank B. Scalzo wrote:
Has anyone seen any discernable operational impact from CA-2002-03? Things like: increase in SNMP probes, increase in bgp churn due to outside networks being affected, customer complaints, increase in number of customer flaps, anyone willing to admit to being directly impacted, anyone willing to admit surviving an attempt, does anyone have any evidence of an actual exploit, any evidence that people wearing the wrong color hats are using this or trying to?
#include <stddisclaimer> We saw a few boxes which appeared to have been compromised in the past day or two, and which were running SNMPd. On the other hand, they were also running other potentially dangerous network interfaces as well, so the timing may well be coincidental. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://users.lightbearer.com/lucifer/
participants (6)
-
Brian Wallingford
-
Chad Oleary
-
Frank B. Scalzo
-
Jared Mauch
-
Joel Baker
-
Sean Donelan