nanog mailing list archives
Re: snmp vuln
From: Saku Ytti <saku+nanog () ytti fi>
Date: Thu, 22 Apr 2004 10:17:06 +0300
On (2004-04-21 23:24 -0700), Alexei Roudnev wrote:
If you ever read SNMP specs, you can realize, that there is not any C or C++ SNMP implementation without such problem. So, rule number 1 is _never expose SNMP to Internet, and be careful to filter out any inbound packets, forwarded to your SNMP ports.
Which makes me wonder, why in most implementations services listen in each configured address. Provider might have lot of link networks, even from customers demand from his link network. This makes filtering in borders little less feasible. And for this particular attack two way comminication is not needed, so SNMP with ACL is not enought to mitigate this. With explicitly defined listen addresses, filtering in border would be easy. JunOS allows to set interfaces to SNMP, but according to netstat it still listens in *.161. -- ++ytti
Current thread:
- snmp vuln Mikael Abrahamsson (Apr 21)
- Re: snmp vuln Alexei Roudnev (Apr 21)
- Re: snmp vuln Saku Ytti (Apr 22)
- Re: snmp vuln Alexei Roudnev (Apr 21)