05:10 PM
Connect Directly

SNMP DDoS Attacks Spike

Akamai issues threat advisory on attack campaign that uses Team Poison-developed DDoS toolkit.

No botnet necessary: Yet another flavor of distributed denial-of-service (DDoS) attacks that doesn't require infecting PCs is on the rise.

Akamai's Prolexic Security Engineering and Response Team (PLXsert) today issued a threat advisory warning of a spike in DDoS attacks abusing the Simple Network Management Protocol (SNMP) interface in network devices such as routers, switches, firewalls, and printers.

PLXsert has spotted 14 SNMP DDoS attack campaigns over the past month, targeting various industries including consumer products, gaming, hosting, nonprofits, and software-as-a-service, mainly in the US (49.9%) and China (18.49%). The attackers used a tool that's available online and was developed by the infamous hacker group Team Poison.

This latest wave of attacks targets devices running an older version of SNMP, version 2, which by default is open to the public Internet unless that feature is manually disabled. SNMP version 3 is a more secure version of the management protocol, which is used to store device information such as IP address or even the type of toner used on a printer.

"Through the use of GetBulk requests against SNMP v2, malicious actors can cause a large number of networked devices to send their stored data all at once to a target in an attempt to overwhelm the resources of the target," PLXsert says in the advisory. "This kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic."

The attacks are using the Team Poison-built tool to automate the "GetBulk" requests. They then use the IP address of the organization they are targeting as the spoofed source of the requests. The attacker then sets off a bulk request for SNMP devices. "These actions will lead to a flood of SNMP GetResponse data sent from the reflectors to the target. The target will see this inflow of data as coming from the victim devices queried by the attacker," the advisory says, and the attacker's actual IP address is hidden.

David Fernandez, director of the PLXsert team, says this reflection technique, as with NTP reflection attacks, is popular because it's a way to maximize connections without a botnet, and it's cheaper to perform. "They can perform campaigns without infections," Fernandez says. "Unfortunately, the attackers are victims," such as the duped devices responding to the targeted organization's network.

"These are pretty massive attacks," he says. "SNMP has a high amplification factor."

The attacks are more than mayhem: Increasingly, DDoS attacks such as these are being used as a smokescreen to divert from a real more deadly attack, he says. Fernandez declined to speculate on the motivation behind these specific attacks.

"The use of specific types of protocol reflection attacks such as SNMP surge from time to time," said Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, in a statement. "Newly available SNMP reflection tools have fueled these attacks."

The full Akamai PLXsert threat advisory is available here.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/31/2014 | 10:53:17 PM
Verizon Security Report
In the Verizon Security Report for 2013, its stated that one of the highest levels of attacks is overall DoS. Are these attacks spiking only in 2014 or were they starting to become prevalent last year? I would be interested to see if they were or were not encompassed by the report. Ill have to do more research but any insight would be helpful. Thanks,
Christian Bryant
Christian Bryant,
User Rank: Ninja
5/23/2014 | 10:42:56 AM
Re: Be DDoS Attack Ready
While disabling SNMPv1 and v2 in favor of v3 (whose messages have encoded as an octet string security parameters) is preferred, network IT staff should still look with caution upon any infrastructure using SNMPvX...

Not come down hard on SNMP, of course!
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/23/2014 | 9:49:46 AM
Re: Be DDoS Attack Ready
Thanks for sharing those best practices, @christianabryant. Hopefully, the SNMP research will prompt orgs to also check on their SNMPv2 settings or go SNMP 3.
Christian Bryant
Christian Bryant,
User Rank: Ninja
5/23/2014 | 12:29:38 AM
Be DDoS Attack Ready
Calls to mind Dave's commentary "DDoS Attack!" from a couple months back and how SNMP and others under UDP have the highest threat potential:!-is-regulation-the-answer/d/d-id/1114050

Also, some tips to protect yourself against reflective attacks:

1) If you can afford to, bring down open recursive DNS servers that can be used as reflectors.

2) Assign rate-limits to queries on source-IPs for all DNS servers.

3) Use TCP for re-transmission of certain DNS query types.

4) Use "principle of least privilege" network filtering on all hosts and network devices, and comply to security recommendation like Common Criteria.

5) Have a solid response/defense/recovery strategy for quick bounce-back from successful DDoS attacks.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.