Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SNMP Reflected Denial Of Service - PoC

From: Full Disclosure <full.disclosure () yandex ru>
Date: Sun, 02 Sep 2012 18:03:05 -0400
Actually, if you test it against windows snmpd or a lot of Cable modems out there, the getbulk request causes a 1500 
byte packet reply.
You probably tested it against linux snmpd or cisco, which in that case , yes, it returns null. 

31.08.2012, 09:31, "Anestis Bechtsoudis" <bechtsoudis.a () gmail com>:

On 8/30/12 8:13 PM, Full Disclosure wrote:


 Hi list,

 I am releasing this code due to the fact that my dev server got hacked and people have been using it in the wild 
for bad things.

 Network admins should patch their networks appropriately by rejecting snmp connections from unwanted IPs.


The quoted code is actually nothing more than a regular threaded UDP
flood DoS tool, both SNMP spoofed requests and responses are equally 65
bytes (no reflection). Make a simple network capture for verification.

The payload is a mis-used .1.3.6.1 getBulk SNMP request resulting in a
null value response.

A sample perl script with the biggest reflection factor per transaction
achieved on Cisco devices is available here [1] (Amplification = 84
bytes request / 1480 bytes response).

For more information about SNMP reflection DoS you may refer to this
link [2].

The quoted code reminds me an old implementation on the same concept [3].

[1] http://pastebin.com/M9cJs89h
[2] https://bechtsoudis.com/hacking/snmp-reflected-denial-of-service/
[3] http://packetstormsecurity.org/DoS/snmpdos.c

-A

--
#----------------------------------------------#
| Anestis Bechtsoudis                          |
|                                              |
| Network Operation Center,                    |
| Laboratory for Computing (LabCom),           |
| Dept. of Computer Engineering & Informatics, |
| University of Patras, Greece                 |
|----------------------------------------------|
| Public Key: http://bit.ly/Q2f5gW             |
| Website: https://bechtsoudis.com             |
#----------------------------------------------#


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: