The SNMP Amplification DDoS (SAD) attack saturates a target’s link with a stream of distributed UDP packets.
The SNMP Amplification distributed denial of service (DdoS) attack, or SAD, has been in circulation for some time and has been demonstrated within the security community. In 2007, Daniel Mende and Enno presented “Exploring novel ways in building botnets” at Shmoocon. Their tool snmpattack.pl was also released that year.
The SAD attack saturates a target’s link with a stream of distributed UDP packets. An attacker can acquire a list of Simple Network Management Protocol (SNMP) hosts and community strings from a known source, or hackers can scan the Internet and create their own.
Amplification is defined because an attacker can distribute and increase the attack size. Ratio of request to response is usually greater than 1:3.
SNMP utilizes the UDP protocol which by design is not stateful. Thus the service is unable to validate the IP address from the request origin.
Example SNMP BulkGetRequest may contain:
A tool in the libsnmp library named snmpbulkwalk utilizes the SNMP GETBULK message, and the response will contain a list of MIBS that support the GETBULK message. The size of requests and responses can be used to determine which MIB would contain a larger ratio of request to response bytes. The attacker can use this information to tune this attack more efficiently. The BULKGET message is not available in SNMP v1.
example syntax – snmpbulkwalk -v2c -c public 192.168.1.5
Akamai has the proper infrastructure and mitigation strategy in place to absorb this form of attack while not affecting our customers legitimate traffic.
Network and Security administrators should validate that they do not have Internet accessible devices with vulnerable community strings.