SNMP Reflected Amplification DDoS Attacks

Just recently on the NANOG mailing list a discussion popped up titled “SNMP DDoS: the vulnerability you might not know you have“.
There’s a couple of points here:

a) if you’re interested in the technical details of these attacks (and mitigation advice), pls see this excellent technical report the Broadband Internet Technical Advisory Group published last year (apparently Comcast had observed such attacks before).

b) Daniel and I gave a talk on attacking SNMP at HITB Dubai 2007 (Hi Amy & Dhillon! 😉) laying out the basic idea for that type of attack and we later described it in a bit more detail at ShmooCon 2009 where we even demoed it publicly (camera recording stopped at that point, for obvious reasons). We used (a slightly modified version of) this tool.
From the research we did at the time we can confirm this was/presumably still is a huge problem, at least for European carriers’ broadband segments (acting as amplifiers).

c) the (NANOG mailing list) original poster mentions he was able to generate response traffic in the 30-60 Kb range with 68 byte queries only, (ab)using GetBulkRequest. That’s an interesting idea/approach and actually much more than we figured (we talked about a 1:25 ratio as for attacker bandwidth vs. victim’s received traffic load).

d) in case his observations with regard to some firewall gear and its SNMP related behavior are correct (we did not verify but, for the moment, see no reasons to doubt those) that would be somewhat problematic in itself.


Moral of the story? This might be (yet another) a trigger to reflect ON your environment’s SNMP posture and to re-evaluate your (network guys’) negligence when it comes to SNMPv3…

have a good one



Leave a Reply

Your email address will not be published. Required fields are marked *