Openly Accessible SNMP Servers

Description

The Simple Network Management Protocol (SNMP) is used for exchanging management information between network devices. By default, a SNMP agent listens on port 161/TCP and port 161/UDP. A SNMP manager listens on port 162/TCP and port 162/UDP for SNMP trap (Alert) messages sent from a SNMP enabled network device.

Problem

An Openly Accessible SNMP server configured with the default 'public' community string can be abused for a Distributed Denial of Service (DDoS) Reflection attack against third parties. SNMP supports trivial authentication by using a community name, which serves as a password for either retrieving or modifying management data. The SNMP GetBulk command option introduced in SNMPv2c and included in SNMPv3 provides a method for a SNMP manager to retrieve a large amount of data from a SNMP agent with a single SNMP request, if exploited by an attacker, it can lead to the amplification of the SNMP DDoS Reflection attack. In addition, SNMP enabled devices can be exploited by an attacker to collect information on the basic system configuration of a network and its resources.

Example of an Amplified SNMP DDoS Reflection Attack

An attacker will first conduct a scan against all targets in a network listening on port 161/UDP, Many SNMP enabled devices, such as routers, are to be found on the parameter of the network, outside the protection of a firewall. On identifying a SNMP enabled device, the attacker, seeking to exploit the SNMP protocol, will initiate a brute force and dictionary attack to identify the community string used on the SNMP enabled device. The default community string for read-only access is 'public', while the default community string for read/write access is 'private'. If the correct community string is submitted, the SNMP enabled device will respond with the requested information. If the community string is 'public', the attacker can dump data from the target system, information such as the device MAC address, hostname, TCP/UDP ports the device is listening on, software installed and processes running. If the community string is 'private', the attacker can download the configuration file of the device, modify it and upload it again to the target system.

In an Amplified SNMP DDoS Reflection attack, the attacker will first scan the Internet for SNMP enabled devices listening on port 161/UDP, configured with the default public community string and preferably running SNMPv2c. The attacker will use these legitimate hosts as reflectors in the amplified SNMP DDoS attack against an unsuspecting victim.

SNMP uses the User Datagram Protocol (UDP) as it's underlying transportation protocol, UDP is a connectionless protocol that uses datagrams embedded in Internet Protocol (IP) packets for communication without the need to create a session between two (2) devices and therefore does not require to undergo the handshake process. The attacker uses tools to modify the source address in the IP packet header (IP Spoofing) to make the legitimate hosts (selected to act as reflectors in the attack) think the packet is from the unsuspecting victim.

The attacker will, using UDP with the forged (spoofed) IP address of the unsuspecting victim, send a SNMP Getbulk request to the list of reflectors. The SNMP enabled devices, in turn, reply to the forged (spoofed) IP address with a SNMP Getbulk reply (amplified payload). The attack volume grows as more and mores devices continue to reply, until the victim's network is overwhelmed under the volume of unsolicited SNMP responses. Such attacks usually last for several hours, are highly disruptive and can be very hard to mitigate.

Finally, the attacker will not launch the attack himself, instead he will uses botnets. A botnet is a number of malware infected computers spread across the world that the botnet controller can use for various purposes. The command server of a botnet is known as a "Stresser" or "Booter". The botnet controller offer his "Stresser" or "Booter" as a service, to deliver DDoS attacks, on the internet. The attacker can hire the services of a "Stresser" or "Booter" for a specified time, for a specified fee to launch a Distributed Denial of Service (DDoS) Reflection attack against a target of choice.

SNMP Security Levels.

Security Model Security Level Authentication Encryption Type
SNMPv1 noAuthNoPriv Community string None
SNMPv2c noAuthNoPriv Community string None
SNMPv3 noAuthNoPriv User name None
  AuthNoPriv MD5 or SHA None
  authPriv MD5 or SHA CBC-DES (DES-56)

SNMPv1 and SNMPv2c Security.

SNMPv1 and SNMPv2c enabled devices have a default setting of read-only community string set to 'public'. Network administrators are advised to change this default public community string in order to prevent unauthorised access to these network device.

SNMPv3 Security Levels and Encryption.

noAuthNoPriv - Communication without authentication and privacy. Uses only User name for authentication and no encryption or privacy.

AuthNoPriv - Communication with authentication and without privacy. The protocols used for authentication are MD5 (Message Digest Algorithm) and SHA (Secure Hash Algorithm). Authentication based on the Hashed Message Authentication Code (HMAC)-MD5 or HMAC-SHA algorithms.

authPriv - Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Communication with authentication and without privacy. The protocols used for authentication are MD5 and SHA. The DES 56-bit encryption provided is based on the Cipher Block Chaining (CBC)-DES (DES-56) standard.

Verification

To establish if a host has an openly accessible service on the Internet, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be used. The test should not be run on the host itself or from the local network but instead from a different node on the Internet.

snmpget

To confirm if a SNMP server is configured as an Openly Accessible SNMP server, the snmpget tool can be used.

$ snmpget [options] [community string/authentication] [host name/address] [object identifier]

Options and Agent OID

-c community string for SNMPv1/SNMPv2 transactions.
-v Specifies the SNMP version to use.

OID description - SNMPv2-MIB - 1.3.6.1.2.1.1.1.0
(iso(1) identified-organisation(3) dod(6) internet(1) mgmt(2) mib-2(1) system(1) sysDescriptor(1))

In the following example, substitue x.x.x.x. with the IP address of the SNMP server and select appropriate options where necessary.

$ snmpget -c public -v 2c x.x.x.x 1.3.6.1.2.1.1.1.0

An openly accessible SNMP server will return a 'System Description' string similar to the following:

iso.3.6.1.2.1.1.1.0 = STRING: "Linux easy.box 2.6.32.32 #1 Tue Jun 19 14:33:35  cst 2020 mips"

In the event that an SNMP server that is not open accessible, snmpget will experience a timeout.

Timeout:	No Response from x.x.x.x

Solution

Disable SNMP on network devices if it is not used or required.

Restrict access to SNMP service to trusted clients in the servers configuration.

Restrict public access to SNMP enabled network devices such as printers and ensure they are not visible from the internet.

Configure SNMPv1 & SNMPv2c enabled network devices as a private community with mandatory authentication instead of the default 'public' community.

Configure SNMPv3 enabled network devices with Security Level authPriv and implement authentication and encryption.

Ingress filtering is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged source (spoofed) IP address access to the network, and to help ensure that traffic is traceable to its correct network.

Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations by preventing traffic with a forged source (spoofed) IP address from leaving the network.

Ingress & Egress Filtering

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link.
Ingress & Engress Filtering

Additional Information

SNMP Tutorial
SNMP Concepts and Configuration
Multiple Vulnerabilities in SNMP by Guofei Jiang of Dartmount College.
SNMP Community String - Targeting the Network
SNMP DDoS Vector - Secure Your Network
US-Cert Reducing the Risk of SNMP Abuse.
Youtube video - UDP-based amplified reflection attacks