The SNMP Amplification DDoS (SAD) attack saturates a target’s link with a stream of distributed UDP packets.
The SNMP Amplification distributed denial of service (DdoS) attack, or SAD, has been in circulation for some time and has been demonstrated within the security community. In 2007, Daniel Mende and Enno presented “Exploring novel ways in building botnets” at Shmoocon. Their tool snmpattack.pl was also released that year.
The SAD attack saturates a target’s link with a stream of distributed UDP packets. An attacker can acquire a list of Simple Network Management Protocol (SNMP) hosts and community strings from a known source, or hackers can scan the Internet and create their own.
Amplification is defined because an attacker can distribute and increase the attack size. Ratio of request to response is usually greater than 1:3.
SNMP utilizes the UDP protocol which by design is not stateful. Thus the service is unable to validate the IP address from the request origin.
Example SNMP BulkGetRequest may contain:
A tool in the libsnmp library named snmpbulkwalk utilizes the SNMP GETBULK message, and the response will contain a list of MIBS that support the GETBULK message. The size of requests and responses can be used to determine which MIB would contain a larger ratio of request to response bytes. The attacker can use this information to tune this attack more efficiently. The BULKGET message is not available in SNMP v1.
example syntax – snmpbulkwalk -v2c -c public 192.168.1.5
Akamai has the proper infrastructure and mitigation strategy in place to absorb this form of attack while not affecting our customers legitimate traffic.
Network and Security administrators should validate that they do not have Internet accessible devices with vulnerable community strings.
Akamai® is the leading provider of cloud services for helping enterprises provide secure, high-performing user experiences on any device, anywhere. At the core of the Company's solutions is the Akamai Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai helps enterprises around the world optimize the web experience with SaaS cloud computing solutions including web application acceleration, mobile and web performance optimization, web media delivery and content delivery network (CDN) services, Akamai's cloud security solutions protect online assets against threats such as SQL Injection and DDoS attacks for maximum information security. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud.