Hi, On Wed, Jul 31, 2013 at 03:17:37PM +0000, Thomas St-Pierre wrote: > The problem isn't the people on this list leaving the public snmp > community on their devices, it's the vendors of home routers leaving it > there in their devices. Normal end users don't know or even care what snmp > is. (nor can we expect them too) > > A simple scan of a large cable/dsl ISP's address space will likely net you > tens of thousands of devices which respond to the "public" snmp community.
I can confirm this. we did some enumeration (and discussed the said amplification attack) here: http://conference.hitb.org/hitbsecconf2007dubai/materials/D1%20-%20Enno%20Rey%20-%20Digging%20into%20SNMP%202007%20-%20An%20Excercise%20on%20Breaking%20Networks.pdf at the time once you scanned "typical broadband segments" of major European carriers, pretty much every address responding to a ping had SNMP "public" also. we gave the talk several times and demoed the amplification attack (with a slightly modified version of this tool: https://www.ernw.de/download/snmpattack.pl) against some of our systems, abusing $SOME_RANDOM_SEGMENT as amplifiers (we asked to stop [camera] recording in those cases where the talks were recorded) and it worked pretty much all the time (~20:1 ratio, initiated from the respective conferences' hotel wifi). thanks Enno > > Thomas > > > > On 13-07-31 10:57 AM, "Blake Dunlap" <iki...@gmail.com> wrote: > > >This looks like more a security issue with the devices, not border > >security > >issues. > > > >If you're seeing replies of that size, it means the devices themselves are > >set up to allow public queries of their information (not secured by even > >keys), which no one should be comfortable with. People should never be > >leaving the public access snmp strings on devices even if they are > >internal. Edge blocking just masks the real issue. > > > > > >-Blake > > > > > >On Tue, Jul 30, 2013 at 11:25 PM, bottiger <bottige...@gmail.com> wrote: > > > >> Before you skim past this email because you already read the Prolexic > >> report on it or some other article on the internet, there are 2 > >> disturbing properties that I haven't found anywhere else online. > >> > >> 1) After sending abuse emails to many networks, we received many angry > >> replies that they monitored their traffic for days without seeing > >> anything (even as we were being attacked) and that their IPs were > >> spoofed and would block us for spamming them. > >> > >> What we discovered was that their firewalls/routers/gateways coming > >> from vendors like Cisco and SonicWall apparently didn't record SNMP > >> traffic going in or out of themselves. We confirmed this multiple > >> times by running a query to an IP that was claimed to be clean and > >> watching the response come 10-60 seconds later because the device was > >> being so heavily abused. > >> > >> 2) SNMP reflection offers the largest amplification factor by far, > >> even surpassing DNS, Chargen, or NTP by a wide margin. I have tested a > >> 68 byte query and received responses of up to 30,000 to 60,000 bytes. > >> The trick is to use GetBulkRequest to start enumerating from the first > >> OID and setting max repetitions to a large number. This is contrary to > >> the other articles online which suggest a much smaller amplification > >> factor with other queries. > >> > >> This protocol is also prevalent in many devices ranging from routers > >> to printers. > >> > >> To solve this problem you should block SNMP traffic coming from > >> outside your network and whitelist outside IPs that require it. > >> > >> > > -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey Troopers 2013 Videos online: http://www.youtube.com/user/TROOPERScon?feature=watch ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de =======================================================