Akamai Diversity

The Akamai Blog

PLXsert Eyes Spike in SNMP Reflection DDoS Attacks

Akamai's Prolexic Security Engineering Response Team (PLXsert) has seen a significant resurgence in the use of Simple Network Management Protocol (SNMP) reflection attacks this past month.

In an advisory, PLXsert said these DDoS attacks abuse the SNMP protocol, which is commonly supported by network devices such as printers, switches, firewalls and routers.

The advisory notes that many network devices use SNMP to store such data as IP addresses on a router or the type of toner used in a printer. Further, older devices (those manufactured approximately three or more years ago) used SNMP version 2 and were commonly delivered with the SNMP protocol openly accessible to the public by default.

"Through the use of GetBulk requests against SNMP v2, malicious actors can cause a large number of networked devices to send their stored data all at once to a target in an attempt to overwhelm the resources of the target," the advisory said. "This kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic."

More from the advisory:

Attackers appear to be using a malicious tool to automate their GetBulk requests, possibly using multiple threads. First, an attacker would need to scan the Internet for hosts that are listening on port 161 and using a community string of public. The tool or a paid DDoS service may provide lists of such devices. The list of IP addresses would be placed in a text file, which is input into the attack tool.

Using the IP address of the attacker's target as a spoofed source from which the requests will appear to originate, the attacker generates snmpbulkget requests to the list of reflectors. These actions lead to a flood of SNMP GetResponse data sent from the reflectors to the target. The target will see this inflow of data as coming from the victim devices queried by the attacker. The IP address of the actual attack source will be hidden.

"The use of specific types of protocol reflection attacks such as SNMP surge from time to time," Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, said in a statement. "Newly available SNMP reflection tools have fueled these attacks."

Thumbnail image for ddos-attack_original-header_contentfullwidth.jpg