Attacks/Breaches
5/22/2014
05:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

SNMP DDoS Attacks Spike

Akamai issues threat advisory on attack campaign that uses Team Poison-developed DDoS toolkit.

No botnet necessary: Yet another flavor of distributed denial-of-service (DDoS) attacks that doesn't require infecting PCs is on the rise.

Akamai's Prolexic Security Engineering and Response Team (PLXsert) today issued a threat advisory warning of a spike in DDoS attacks abusing the Simple Network Management Protocol (SNMP) interface in network devices such as routers, switches, firewalls, and printers.

PLXsert has spotted 14 SNMP DDoS attack campaigns over the past month, targeting various industries including consumer products, gaming, hosting, nonprofits, and software-as-a-service, mainly in the US (49.9%) and China (18.49%). The attackers used a tool that's available online and was developed by the infamous hacker group Team Poison.

This latest wave of attacks targets devices running an older version of SNMP, version 2, which by default is open to the public Internet unless that feature is manually disabled. SNMP version 3 is a more secure version of the management protocol, which is used to store device information such as IP address or even the type of toner used on a printer.

"Through the use of GetBulk requests against SNMP v2, malicious actors can cause a large number of networked devices to send their stored data all at once to a target in an attempt to overwhelm the resources of the target," PLXsert says in the advisory. "This kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic."

The attacks are using the Team Poison-built tool to automate the "GetBulk" requests. They then use the IP address of the organization they are targeting as the spoofed source of the requests. The attacker then sets off a bulk request for SNMP devices. "These actions will lead to a flood of SNMP GetResponse data sent from the reflectors to the target. The target will see this inflow of data as coming from the victim devices queried by the attacker," the advisory says, and the attacker's actual IP address is hidden.

David Fernandez, director of the PLXsert team, says this reflection technique, as with NTP reflection attacks, is popular because it's a way to maximize connections without a botnet, and it's cheaper to perform. "They can perform campaigns without infections," Fernandez says. "Unfortunately, the attackers are victims," such as the duped devices responding to the targeted organization's network.

"These are pretty massive attacks," he says. "SNMP has a high amplification factor."

The attacks are more than mayhem: Increasingly, DDoS attacks such as these are being used as a smokescreen to divert from a real more deadly attack, he says. Fernandez declined to speculate on the motivation behind these specific attacks.

"The use of specific types of protocol reflection attacks such as SNMP surge from time to time," said Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, in a statement. "Newly available SNMP reflection tools have fueled these attacks."

The full Akamai PLXsert threat advisory is available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2014 | 10:53:17 PM
Verizon Security Report
In the Verizon Security Report for 2013, its stated that one of the highest levels of attacks is overall DoS. Are these attacks spiking only in 2014 or were they starting to become prevalent last year? I would be interested to see if they were or were not encompassed by the report. Ill have to do more research but any insight would be helpful. Thanks,
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/23/2014 | 10:42:56 AM
Re: Be DDoS Attack Ready
While disabling SNMPv1 and v2 in favor of v3 (whose messages have encoded as an octet string security parameters) is preferred, network IT staff should still look with caution upon any infrastructure using SNMPvX...

Not come down hard on SNMP, of course!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/23/2014 | 9:49:46 AM
Re: Be DDoS Attack Ready
Thanks for sharing those best practices, @christianabryant. Hopefully, the SNMP research will prompt orgs to also check on their SNMPv2 settings or go SNMP 3.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/23/2014 | 12:29:38 AM
Be DDoS Attack Ready
Calls to mind Dave's commentary "DDoS Attack!" from a couple months back and how SNMP and others under UDP have the highest threat potential: http://www.darkreading.com/attacks-and-breaches/ddos-attack!-is-regulation-the-answer/d/d-id/1114050

Also, some tips to protect yourself against reflective attacks:

1) If you can afford to, bring down open recursive DNS servers that can be used as reflectors.

2) Assign rate-limits to queries on source-IPs for all DNS servers.

3) Use TCP for re-transmission of certain DNS query types.

4) Use "principle of least privilege" network filtering on all hosts and network devices, and comply to security recommendation like Common Criteria.

5) Have a solid response/defense/recovery strategy for quick bounce-back from successful DDoS attacks.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.