The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex, and, according to security experts, the next DDoS vector to be concerned about is SNMP (Simple Network Management Protocol) amplification attacks.
Yesterday afternoon, the SANS Internet Storm Center reported SNMP scans spoofed from Google’s public recursive DNS server searching for vulnerable routers and other devices that support the protocol with DDoS traffic and are opened to the public Internet.
“We are receiving some reports about SNMP scans that claim to originate from 126.96.36.199 (Google’s public recursive DNS server),” wrote Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center. “This is likely part of an attempt to launch a DDoS against Google by using SNMP as an amplifier/reflector.”
Simple Network Management Protocol (SNMP) is a UDP-based protocol designed to allow the monitoring of network-attached devices by querying information about their configuration. SNMP-enabled devices with such configurations can be found both in home and business environments and is typically used in devices such as printers, switches, firewalls and routers.
The attack uses the default “read-write” community string of “private.” SNMP command is actually a “set” command that uses this default string as a password, and “private” is a common by-default password, say Ullrich.
If the attack is successful, it tries to modify the configuration variables in the affected device, the TTL (Time To Live) variable is set to 1 which, according to Ullrich, “would make it impossible for the gateway to connect to other systems that are not on the same link-layer network.” It also sets the Forwarding variable to 2, which turns off IP forwarding.