SNMP Based Amplification Attacks

Number: AV14-095
Date: 24 November 2014

Purpose

The purpose of this advisory is to bring attention to a misconfiguration/vulnerability in the SNMP service that could be used in a reflection/amplification attack.

Assessment

CCIRC is aware of a misconfiguration of the SNMP service that could allow a remote attacker to use the device in a reflection/amplification DDoS attack. Devices used in these attacks are not the ultimate target, but are unknowing accomplices to a DDoS attack on a third party system.

This misconfiguration allows an attacker to exploit SNMP-enabled devices that allow public SNMP queries. By sending an SNMP GetBulk request on UDP port 161, the attacker is able to receive an amplified response on port UDP 162. Using the ultimate target IP address as a spoofed source IP for every request will result in the SNMP devices used in the attack sending the response to the target IP.

As other vulnerabilities and methods of exploiting UDP based protocols for a reflective DDoS are being remediated, SNMP based amplification attacks are on the rise. Newly available SNMP reflection tools have also helped increase the occurrence of these attacks.

Community Strings are transmitted in clear text by SNMP v1 and SNMP v2 devices, allowing them to being easily intercepted by attackers to disclose information and possibly modify contents. Additionally, the default configurations for these devices are well-known, providing an easily exploitable vector to an attacker.

Suggested Action

CCIRC recommends the following practices be evaluated for implementation in environments susceptible to SNMP reflection DDoS attacks:

References

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: