SNMP Amplification DDoS (SAD) [High Risk]

Published March 2012

SNMP Amplification DDoS (SAD) [High Risk]

The SNMP Amplification DDoS (SAD) attack saturates a target’s link with a stream of distributed UDP packets.

What You Need to Know

The SNMP Amplification distributed denial of service (DdoS) attack, or SAD, has been in circulation for some time and has been demonstrated within the security community. In 2007, Daniel Mende and Enno presented “Exploring novel ways in building botnets” at Shmoocon. Their tool snmpattack.pl was also released that year.

The SAD attack saturates a target’s link with a stream of distributed UDP packets. An attacker can acquire a list of Simple Network Management Protocol (SNMP) hosts and community strings from a known source, or hackers can scan the Internet and create their own.

Amplification is defined because an attacker can distribute and increase the attack size. Ratio of request to response is usually greater than 1:3.

SNMP utilizes the UDP protocol which by design is not stateful. Thus the service is unable to validate the IP address from the request origin.

Example SNMP BulkGetRequest may contain:

  • 82 byte size per request
  • 423 byte size per response

A tool in the libsnmp library named snmpbulkwalk utilizes the SNMP GETBULK message, and the response will contain a list of MIBS that support the GETBULK message. The size of requests and responses can be used to determine which MIB would contain a larger ratio of request to response bytes. The attacker can use this information to tune this attack more efficiently. The BULKGET message is not available in SNMP v1.

example syntax – snmpbulkwalk -v2c -c public 192.168.1.5

Attack Signature:

  • Request:
    • 14:54:54.183509 IP 192.168.1.100.59933 > 192.168.1.5.161: GetBulk(25)
      N=0 M=10 .1.3.6.1.2.1
  • Response:
    14:54:54.183942 IP 192.168.1.5.161 > 192.168.1.100.59933:
    GetResponse(284) .1.3.6.1.2.1.1.1.0=”VMware ESX 4.1.0 build-348481
    VMware, Inc.x86_64″ .1.3.6.1.2.1.1.2.0=.1.3.6.1.4.1.6876.4.1
    .1.3.6.1.2.1.1.3.0=114421444 .1.3.6.1.2.1.1.4.0=”not set”
    .1.3.6.1.2.1.1.5.0=”target domain” .1.3.6.1.2.1.1.6.0=”not set”
    .1.3.6.1.2.1.1.7.0=72 .1.3.6.1.2.1.1.8.0=0
    .1.3.6.1.2.1.1.9.1.2.1=.1.3.6.1.6.3.1 .1.3.6.1.2.1.1.9.1.2.2=.1.3.6.1.2.1.31

Attack Sequence:

  1. Attacker enumerates SNMP hosts and community strings
  2. Attacker sends spoofed SNMP BulkGetRequest messages to the reflectors with the 
source address set to the target IPs
  3. Enumerated hosts reply with amplified responses to target
  4. Target host is impacted with much larger byte responses then the original requests

Remediation:

Akamai has the proper infrastructure and mitigation strategy in place to absorb this form of attack while not affecting our customers legitimate traffic.

Network and Security administrators should validate that they do not have Internet accessible devices with vulnerable community strings.

Contact Us