The Spamhaus Project


SNMP DDoS Vector - Secure Your Network NOW!

by The Spamhaus TeamDecember 23, 20113 minutes reading time

Spamhaus has observed a newer type of distributed denial-of-service attack (DDoS) which has only recently become popular among cybercriminals. In just the past month, several attacks using this method have been investigated by private security firms and law enforcement agencies. During December 2011, Spamhaus sustained an SNMP DDoS on the order of magnitude of the largest DDoS seen to date on the Internet. Our anti-DDoS resources allowed us to implement effective measures to mitigate this attack, and we are working with law enforcement and security industry partners to shut down the originators.

This DDoS vector is similar to the older DNS Amplification Attack, but instead of DNS it uses Simple Network Management Protocol (SNMP) services to reflect and amplify a stream of UDP packets toward a DDoS target. The attacker's packets contain forged (spoofed) originating IP addresses, so that the SNMP server to which these packets are sent replies with a large UDP packet to the spoofed address, which belongs to the victim. The amplification effect of this vector can produce high traffic volumes from a relatively small input stream, effectively clogging the 'pipes' into the victim's server to produce denial of service.

Mitigation is similar to other DDoS attacks: identify the bad packets (which tend to be large and fragmented, making identification reasonably easy), filter them out, and then firewall IP addresses that are emitting or reflecting these packets as far upstream from the victim IP addresses as possible. A knowledgeable and involved upstream host is invaluable.

An ounce of prevention is worth a pound of cure and, as with so many things, networks can do a great deal to prevent damage to the Internet as a whole--and to their fellow networks in particular--by properly securing their own resources. Filtering malformed inbound packets ("ingress filtering") to stop spoofing-related DDoS has been "best current practice" since before year 2000, required per IETF BCP 38 as described in RFC 2827. Egress filtering (packets leaving your network) is also good practice, and is covered in SANS' Egress Filtering FAQ. Together, those practices alone would prevent this and several other types of DDoS attack, as well as various other attacks.

A narrower but also effective way to prevent your network from participating in an SNMP DDoS is to firewall or otherwise secure your SNMP server. It should be used in conjunction with ingress/egress filtering. By allowing access to the SNMP server only from a small range of IP addresses which you control, you prevent your SNMP server from being fooled into sending information to a third party. Since SNMP information can also be used to map services inside your network, securing it properly protects your network from attacks as well as from being used to attack other networks. More about securing SNMP can be found here.

Fix your ingress/egress filtering and secure your SNMP NOW!