Incident Response, TDR

SNMP reflection DDoS attacks on the rise, researchers find

Akamai's Prolexic Security Engineering Response Team (PLXsert) issued a threat advisory last week warning of an uptick in reflection distributed denial-of-service (DDoS) attacks using Simple Network Management Protocol (SNMP).

Dating back to April 11, PLXsert researchers observed 14 SNMP reflection DDoS campaigns that targeted the consumer goods, gaming, hosting, non-profit and software-as-a-service industries, according to the advisory, which indicates the threat is considered a “medium” risk.

Nearly half of the observed attacks were based out of the U.S., according to the advisory, with SNMP distribution also being sourced to China, Brazil, Italy and Turkey, France, Pakistan, German, U.K., and Canada.

“Sometimes attackers lean towards victimizing network devices open to reflecting traffic that are geographically closer to the target,” David Fernandez, head of PLXsert, told in a Wednesday email correspondence. “In the case of the statistics displayed within the advisory, the target customer site locations were also based in the U.S.”

Perhaps ironically, the advisory comes just a few weeks after Johannes Ullrich, dean of research with the SANS Technology Institute, told that he expects to see a rise in the number of DDoS attacks using SNMP.

Earlier this month, after observing an SNMP reflection DDoS attack, Ullrich explained that the attack is essentially carried out by sending a typically small request to a network-connected device exposing SNMP, which returns a significantly larger response.

As part of the PLXsert study, researchers simulated a request made by the SNMP Refelector [sic] DDoS tool – a tool available on the internet that was made by Team Poison in 2011, and was identified as being used in one of the observed attacks.

A request of 37 bytes received an amplified response of 51,722 bytes, according to the advisory.

“SNMP is a standard service utilized by network devices all over the world,” Fernandez said. “The internet is built on the back of core routers. Based on our research, [more than] 90 [percent] of network devices being victimized are routers.”

The advisory offers several suggestions to mitigate the threat, including restricting and monitoring access to SNMP devices, closing certain SNMP devices to the internet, and using SNMP v3 when possible. Additionally, the community string, which serves as a password for accepting requests, should not be the default of “public.”

“Seems like SNMP is the next phase [of DDoS reflection techniques because] the amplification multipliers are very high,” Fernandez said, adding the DDoS threat landscape is unpredictable and continues to evolve. “At this point, the most utilized reflection technique identified is still NTP followed by CHARGEN.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.