Re: SNMP DDoS: the vulnerability you might not know you have

[Enno Rey <erey () ernw de>]

Hi,

On Wed, Jul 31, 2013 at 03:17:37PM +0000, Thomas St-Pierre wrote:
> The problem isn't the people on this list leaving the public snmp
> community on their devices, it's the vendors of home routers leaving it
> there in their devices. Normal end users don't know or even care what snmp
> is. (nor can we expect them too)
>
> A simple scan of a large cable/dsl ISP's address space will likely net you
> tens of thousands of devices which respond to the "public" snmp community.

I can confirm this.
we did some enumeration (and discussed the said amplification attack) here:
http://conference.hitb.org/hitbsecconf2007dubai/materials/D1%20-%20Enno%20Rey%20-%20Digging%20into%20SNMP%202007%20-%20An%20Excercise%20on%20Breaking%20Networks.pdf

at the time once you scanned "typical broadband segments" of major European carriers, pretty much every address 
responding to a ping had SNMP "public" also. 

we gave the talk several times and demoed the amplification attack (with a slightly modified version of this tool: 
https://www.ernw.de/download/snmpattack.pl) against some of our systems, abusing $SOME_RANDOM_SEGMENT as amplifiers (we 
asked to stop [camera] recording in those cases where the talks were recorded) and it worked pretty much all the time 
(~20:1 ratio, initiated from the respective conferences' hotel wifi).

thanks

Enno




> Thomas
>
>
>
> On 13-07-31 10:57 AM, "Blake Dunlap" <ikiris () gmail com> wrote:
>
> > This looks like more a security issue with the devices, not border
> > security
> > issues.
> >
> > If you're seeing replies of that size, it means the devices themselves are
> > set up to allow public queries of their information (not secured by even
> > keys), which no one should be comfortable with. People should never be
> > leaving the public access snmp strings on devices even if they are
> > internal. Edge blocking just masks the real issue.
> >
> >
> > -Blake
> >
> >
> > On Tue, Jul 30, 2013 at 11:25 PM, bottiger <bottiger10 () gmail com> wrote:
> >
> > > Before you skim past this email because you already read the Prolexic
> > > report on it or some other article on the internet, there are 2
> > > disturbing properties that I haven't found anywhere else online.
> > >
> > > 1) After sending abuse emails to many networks, we received many angry
> > > replies that they monitored their traffic for days without seeing
> > > anything (even as we were being attacked) and that their IPs were
> > > spoofed and would block us for spamming them.
> > >
> > > What we discovered was that their firewalls/routers/gateways coming
> > > from vendors like Cisco and SonicWall apparently didn't record SNMP
> > > traffic going in or out of themselves. We confirmed this multiple
> > > times by running a query to an IP that was claimed to be clean and
> > > watching the response come 10-60 seconds later because the device was
> > > being so heavily abused.
> > >
> > > 2) SNMP reflection offers the largest amplification factor by far,
> > > even surpassing DNS, Chargen, or NTP by a wide margin. I have tested a
> > > 68 byte query and received responses of up to 30,000 to 60,000 bytes.
> > > The trick is to use GetBulkRequest to start enumerating from the first
> > > OID and setting max repetitions to a large number. This is contrary to
> > > the other articles online which suggest a much smaller amplification
> > > factor with other queries.
> > >
> > > This protocol is also prevalent in many devices ranging from routers
> > > to printers.
> > >
> > > To solve this problem you should block SNMP traffic coming from
> > > outside your network and whitelist outside IPs that require it.

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

Troopers 2013 Videos online: http://www.youtube.com/user/TROOPERScon?feature=watch

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================