Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/22/2014
05:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

SNMP DDoS Attacks Spike

Akamai issues threat advisory on attack campaign that uses Team Poison-developed DDoS toolkit.

No botnet necessary: Yet another flavor of distributed denial-of-service (DDoS) attacks that doesn't require infecting PCs is on the rise.

Akamai's Prolexic Security Engineering and Response Team (PLXsert) today issued a threat advisory warning of a spike in DDoS attacks abusing the Simple Network Management Protocol (SNMP) interface in network devices such as routers, switches, firewalls, and printers.

PLXsert has spotted 14 SNMP DDoS attack campaigns over the past month, targeting various industries including consumer products, gaming, hosting, nonprofits, and software-as-a-service, mainly in the US (49.9%) and China (18.49%). The attackers used a tool that's available online and was developed by the infamous hacker group Team Poison.

This latest wave of attacks targets devices running an older version of SNMP, version 2, which by default is open to the public Internet unless that feature is manually disabled. SNMP version 3 is a more secure version of the management protocol, which is used to store device information such as IP address or even the type of toner used on a printer.

"Through the use of GetBulk requests against SNMP v2, malicious actors can cause a large number of networked devices to send their stored data all at once to a target in an attempt to overwhelm the resources of the target," PLXsert says in the advisory. "This kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic."

The attacks are using the Team Poison-built tool to automate the "GetBulk" requests. They then use the IP address of the organization they are targeting as the spoofed source of the requests. The attacker then sets off a bulk request for SNMP devices. "These actions will lead to a flood of SNMP GetResponse data sent from the reflectors to the target. The target will see this inflow of data as coming from the victim devices queried by the attacker," the advisory says, and the attacker's actual IP address is hidden.

David Fernandez, director of the PLXsert team, says this reflection technique, as with NTP reflection attacks, is popular because it's a way to maximize connections without a botnet, and it's cheaper to perform. "They can perform campaigns without infections," Fernandez says. "Unfortunately, the attackers are victims," such as the duped devices responding to the targeted organization's network.

"These are pretty massive attacks," he says. "SNMP has a high amplification factor."

The attacks are more than mayhem: Increasingly, DDoS attacks such as these are being used as a smokescreen to divert from a real more deadly attack, he says. Fernandez declined to speculate on the motivation behind these specific attacks.

"The use of specific types of protocol reflection attacks such as SNMP surge from time to time," said Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, in a statement. "Newly available SNMP reflection tools have fueled these attacks."

The full Akamai PLXsert threat advisory is available here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/31/2014 | 10:53:17 PM
Verizon Security Report
In the Verizon Security Report for 2013, its stated that one of the highest levels of attacks is overall DoS. Are these attacks spiking only in 2014 or were they starting to become prevalent last year? I would be interested to see if they were or were not encompassed by the report. Ill have to do more research but any insight would be helpful. Thanks,
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/23/2014 | 10:42:56 AM
Re: Be DDoS Attack Ready
While disabling SNMPv1 and v2 in favor of v3 (whose messages have encoded as an octet string security parameters) is preferred, network IT staff should still look with caution upon any infrastructure using SNMPvX...

Not come down hard on SNMP, of course!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/23/2014 | 9:49:46 AM
Re: Be DDoS Attack Ready
Thanks for sharing those best practices, @christianabryant. Hopefully, the SNMP research will prompt orgs to also check on their SNMPv2 settings or go SNMP 3.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/23/2014 | 12:29:38 AM
Be DDoS Attack Ready
Calls to mind Dave's commentary "DDoS Attack!" from a couple months back and how SNMP and others under UDP have the highest threat potential: http://www.darkreading.com/attacks-and-breaches/ddos-attack!-is-regulation-the-answer/d/d-id/1114050

Also, some tips to protect yourself against reflective attacks:

1) If you can afford to, bring down open recursive DNS servers that can be used as reflectors.

2) Assign rate-limits to queries on source-IPs for all DNS servers.

3) Use TCP for re-transmission of certain DNS query types.

4) Use "principle of least privilege" network filtering on all hosts and network devices, and comply to security recommendation like Common Criteria.

5) Have a solid response/defense/recovery strategy for quick bounce-back from successful DDoS attacks.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...