Prolexic researchers have witnessed an uptick in the number of DDoS attacks using SNMP.
Prolexic researchers have witnessed an uptick in the number of DDoS attacks using SNMP.

Akamai's Prolexic Security Engineering Response Team (PLXsert) issued a threat advisory last week warning of an uptick in reflection distributed denial-of-service (DDoS) attacks using Simple Network Management Protocol (SNMP).

Dating back to April 11, PLXsert researchers observed 14 SNMP reflection DDoS campaigns that targeted the consumer goods, gaming, hosting, non-profit and software-as-a-service industries, according to the advisory, which indicates the threat is considered a “medium” risk.

Nearly half of the observed attacks were based out of the U.S., according to the advisory, with SNMP distribution also being sourced to China, Brazil, Italy and Turkey, France, Pakistan, German, U.K., and Canada.

“Sometimes attackers lean towards victimizing network devices open to reflecting traffic that are geographically closer to the target,” David Fernandez, head of PLXsert, told SCMagazine.com in a Wednesday email correspondence. “In the case of the statistics displayed within the advisory, the target customer site locations were also based in the U.S.”

Perhaps ironically, the advisory comes just a few weeks after Johannes Ullrich, dean of research with the SANS Technology Institute, told SCMagazine.com that he expects to see a rise in the number of DDoS attacks using SNMP.

Earlier this month, after observing an SNMP reflection DDoS attack, Ullrich explained that the attack is essentially carried out by sending a typically small request to a network-connected device exposing SNMP, which returns a significantly larger response.

As part of the PLXsert study, researchers simulated a request made by the SNMP Refelector [sic] DDoS tool – a tool available on the internet that was made by Team Poison in 2011, and was identified as being used in one of the observed attacks.