> > Subject: [Full-Disclosure] SNMPBroadcasts > > SNMP doesn't "broadcast"
Sure it does. Most older "default" SNMP devices broadcast traps. This is so that any SNMP manager on the network can collect the traps for a specified SNMP community. This is also so that the SNMP enabled device can just be placed on the network and managed without any special configuration. Newer SNMP agents let you specify a management host to send traps to. > > For the past 12 hours my external IP has been bombarded with SNMP > > "Bombarded"? Below you state it was only "several per second". Are you > on a dial connection? > > > Broadcasts, I have sent complaints to my ISP and the ISP of the originating > > IP. > > And both are likely laughing their asses off right about now. Why? Depending on the service provider configures the network and assigns IP address to customers, the switch can easily forward broadcast packets to all hosts on the subnetwork. This includes Windows LM broadcasts, SNMP broadcasts, or just any packet destined to a broadcast address. Have you noticed that for certain service providers, you can browse the windows/samba shares on your neighbours machine? > > > The attacking IP must have some sort of worm or automated script to go > > through all the port numbers as his remote port starts at 60001 and goes up > > to 64087 but it hits my local ports 1-highest port # (65535) if I let my > > logs record that much. You're (BillyBob) being port scanned. Not much you can do to stop the portscans. All you can do is be invisible to it. It's most likely a trojaned machine searching for more victims. Make sure you're behind a cable/dsl router (or have a good firewall in place) (or both). Keep up with all your software and firmware patches. Note that some ISPs deliberately port-scan customer machines to search for webservers, mailservers etc. > SNMP goes to ports 161 and 162, *only*. No... those are just the default ports for the stock agents. Sysedge (for example) uses 1691 for Get/Set requests. > > Could this be some kind of SNMP DoS as I get several/second ? I'll tell you what it could (likely) be: - An unconfigured SNMP agent on the network (on a Linux or Windows box maybe). - A cable/dsl router on the subnet that's spewing SNMP traps (I've seen this a lot). - Your service providers actual switch is misconfigured. I haven't heard of SNMP DoS's but hey... anythings possible. > I know I shouldn't be asking this, but... Do you know how to use > Ethereal? Good Call. It'll answer most of your questions. -- Mohit Muthanna, CISSP [mohit (at) muthanna (uhuh) com] "There are 10 types of people. Those who understand binary, and those who don't." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html