Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
SNMP DDoS Vector - Secure Your Network NOW!

2011-12-23 17:39:00 GMT, by Chris Thompson
Recent News Articles

Spamhaus launches CERT Insight Portal

The Spamhaus Policy Block List now covers One Billion IP addresses

Resilans Incident Report

ICANN SSAC on DDoS, DNS and BCP 38

The return of the open relays

The DMA kicks spam up a notch

Celebrating The First Birthday Of The Spamhaus BGPf

An arrest in response to March DDoS attacks on Spamhaus


Older News Articles:
Spamhaus News INDEX

Spamhaus has observed a newer type of distributed denial-of-service attack (DDoS) which has only recently become popular among cybercriminals. In just the past month, several attacks using this method have been investigated by private security firms and law enforcement agencies. During December 2011, Spamhaus sustained an SNMP DDoS on the order of magnitude of the largest DDoS seen to date on the Internet. Our anti-DDoS resources allowed us to implement effective measures to mitigate this attack, and we are working with law enforcement and security industry partners to shut down the originators.

This DDoS vector is similar to the older DNS Amplification Attack, but instead of DNS it uses Simple Network Management Protocol (SNMP) services to reflect and amplify a stream of UDP packets toward a DDoS target. The attacker's packets contain forged (spoofed) originating IP addresses, so that the SNMP server to which these packets are sent replies with a large UDP packet to the spoofed address, which belongs to the victim. The amplification effect of this vector can produce high traffic volumes from a relatively small input stream, effectively clogging the 'pipes' into the victim's server to produce denial of service.

Mitigation is similar to other DDoS attacks: identify the bad packets (which tend to be large and fragmented, making identification reasonably easy), filter them out, and then firewall IP addresses that are emitting or reflecting these packets as far upstream from the victim IP addresses as possible. A knowledgeable and involved upstream host is invaluable.

An ounce of prevention is worth a pound of cure and, as with so many things, networks can do a great deal to prevent damage to the Internet as a whole--and to their fellow networks in particular--by properly securing their own resources. Filtering malformed inbound packets ("ingress filtering") to stop spoofing-related DDoS has been "best current practice" since before year 2000, required per IETF BCP 38 as described in RFC 2827. Egress filtering (packets leaving your network) is also good practice, and is covered in SANS' Egress Filtering FAQ. Together, those practices alone would prevent this and several other types of DDoS attack, as well as various other attacks.

A narrower but also effective way to prevent your network from participating in an SNMP DDoS is to firewall or otherwise secure your SNMP server. It should be used in conjunction with ingress/egress filtering. By allowing access to the SNMP server only from a small range of IP addresses which you control, you prevent your SNMP server from being fooled into sending information to a third party. Since SNMP information can also be used to map services inside your network, securing it properly protects your network from attacks as well as from being used to attack other networks. More about securing SNMP can be found here.

Fix your ingress/egress filtering and secure your SNMP NOW!


Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
SNMP DDoS Vector - Secure Your Network NOW!
http://www.spamhaus.org/news/article/678/snmp-ddos-vector-secure-your-network-now

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy