SNMP Based Amplification Attacks
Date: 24 November 2014
The purpose of this advisory is to bring attention to a misconfiguration/vulnerability in the SNMP service that could be used in a reflection/amplification attack.
CCIRC is aware of a misconfiguration of the SNMP service that could allow a remote attacker to use the device in a reflection/amplification DDoS attack. Devices used in these attacks are not the ultimate target, but are unknowing accomplices to a DDoS attack on a third party system.
This misconfiguration allows an attacker to exploit SNMP-enabled devices that allow public SNMP queries. By sending an SNMP GetBulk request on UDP port 161, the attacker is able to receive an amplified response on port UDP 162. Using the ultimate target IP address as a spoofed source IP for every request will result in the SNMP devices used in the attack sending the response to the target IP.
As other vulnerabilities and methods of exploiting UDP based protocols for a reflective DDoS are being remediated, SNMP based amplification attacks are on the rise. Newly available SNMP reflection tools have also helped increase the occurrence of these attacks.
Community Strings are transmitted in clear text by SNMP v1 and SNMP v2 devices, allowing them to being easily intercepted by attackers to disclose information and possibly modify contents. Additionally, the default configurations for these devices are well-known, providing an easily exploitable vector to an attacker.
CCIRC recommends the following practices be evaluated for implementation in environments susceptible to SNMP reflection DDoS attacks:
- Upgrade SNMP to version 3 and configure the security level to other then "noAuth" to correct security shortcoming in version 1 and version 2;
- Limit public internet access to system that uses SNMP “public” community string, which is usually default setting in multiple devices;
- Limit access to networked devices such as printers and make sure they are not visible from the internet;
- Adopt restrictive access policies to SNMP management devices, such as block SNMP traffic coming from outside your network and whitelist outside IPs that requires access.
- CCIRC Advisory AV14-001 Network Time Protocol Vulnerability
- An Analysis of DrDoS SNMP/NTP/CHARGEN Reflection Attacks
- US-CERT Alert (TA14-017A) UDP-based Amplification Attacks
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: