informa
/
Attacks/Breaches
Quick Hits

SNMP DDoS Attacks Spike

Akamai issues threat advisory on attack campaign that uses Team Poison-developed DDoS toolkit.

No botnet necessary: Yet another flavor of distributed denial-of-service (DDoS) attacks that doesn't require infecting PCs is on the rise.

Akamai's Prolexic Security Engineering and Response Team (PLXsert) today issued a threat advisory warning of a spike in DDoS attacks abusing the Simple Network Management Protocol (SNMP) interface in network devices such as routers, switches, firewalls, and printers.

PLXsert has spotted 14 SNMP DDoS attack campaigns over the past month, targeting various industries including consumer products, gaming, hosting, nonprofits, and software-as-a-service, mainly in the US (49.9%) and China (18.49%). The attackers used a tool that's available online and was developed by the infamous hacker group Team Poison.

This latest wave of attacks targets devices running an older version of SNMP, version 2, which by default is open to the public Internet unless that feature is manually disabled. SNMP version 3 is a more secure version of the management protocol, which is used to store device information such as IP address or even the type of toner used on a printer.

"Through the use of GetBulk requests against SNMP v2, malicious actors can cause a large number of networked devices to send their stored data all at once to a target in an attempt to overwhelm the resources of the target," PLXsert says in the advisory. "This kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic."

The attacks are using the Team Poison-built tool to automate the "GetBulk" requests. They then use the IP address of the organization they are targeting as the spoofed source of the requests. The attacker then sets off a bulk request for SNMP devices. "These actions will lead to a flood of SNMP GetResponse data sent from the reflectors to the target. The target will see this inflow of data as coming from the victim devices queried by the attacker," the advisory says, and the attacker's actual IP address is hidden.

David Fernandez, director of the PLXsert team, says this reflection technique, as with NTP reflection attacks, is popular because it's a way to maximize connections without a botnet, and it's cheaper to perform. "They can perform campaigns without infections," Fernandez says. "Unfortunately, the attackers are victims," such as the duped devices responding to the targeted organization's network.

"These are pretty massive attacks," he says. "SNMP has a high amplification factor."

The attacks are more than mayhem: Increasingly, DDoS attacks such as these are being used as a smokescreen to divert from a real more deadly attack, he says. Fernandez declined to speculate on the motivation behind these specific attacks.

"The use of specific types of protocol reflection attacks such as SNMP surge from time to time," said Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, in a statement. "Newly available SNMP reflection tools have fueled these attacks."

The full Akamai PLXsert threat advisory is available here.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5