Full Disclosure mailing list archives
Re: SNMP Reflected Denial Of Service - PoC
From: Full Disclosure <full.disclosure () yandex ru>
Date: Sun, 02 Sep 2012 18:03:05 -0400
Actually, if you test it against windows snmpd or a lot of Cable modems out there, the getbulk request causes a 1500 byte packet reply. You probably tested it against linux snmpd or cisco, which in that case , yes, it returns null. 31.08.2012, 09:31, "Anestis Bechtsoudis" <bechtsoudis.a () gmail com>:
On 8/30/12 8:13 PM, Full Disclosure wrote:Hi list, I am releasing this code due to the fact that my dev server got hacked and people have been using it in the wild for bad things. Network admins should patch their networks appropriately by rejecting snmp connections from unwanted IPs.The quoted code is actually nothing more than a regular threaded UDP flood DoS tool, both SNMP spoofed requests and responses are equally 65 bytes (no reflection). Make a simple network capture for verification. The payload is a mis-used .1.3.6.1 getBulk SNMP request resulting in a null value response. A sample perl script with the biggest reflection factor per transaction achieved on Cisco devices is available here [1] (Amplification = 84 bytes request / 1480 bytes response). For more information about SNMP reflection DoS you may refer to this link [2]. The quoted code reminds me an old implementation on the same concept [3]. [1] http://pastebin.com/M9cJs89h [2] https://bechtsoudis.com/hacking/snmp-reflected-denial-of-service/ [3] http://packetstormsecurity.org/DoS/snmpdos.c -A -- #----------------------------------------------# | Anestis Bechtsoudis | | | | Network Operation Center, | | Laboratory for Computing (LabCom), | | Dept. of Computer Engineering & Informatics, | | University of Patras, Greece | |----------------------------------------------| | Public Key: http://bit.ly/Q2f5gW | | Website: https://bechtsoudis.com | #----------------------------------------------#
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: SNMP Reflected Denial Of Service - PoC Full Disclosure (Sep 03)
- Re: SNMP Reflected Denial Of Service - PoC Anestis Bechtsoudis (Sep 02)