Preventing SNMP Amplication Attacks
Posted by Kevin Stange, Last modified by Kevin Stange on 23 March 2015 03:00 PM
Recently, a large number of DDoS attacks have begun to make use of unsecured SNMP services running on the Internet. SNMP services have a default community (authentication name) called "public" which can be used to return some read-only monitoring statistics about a server. Exposing the "public" community puts servers at a moderate to severe risk of participating in an SNMP amplification attack and may expose some information that makes them easier to exploit, such as the version of Linux being used and the network configuration. This attack queries SNMP servers for large results using a fake source address. This request causes the response to go back to the faked address, resulting in a large amount of data being sent to a computer that did not request it. This effect, when used with thousands of SNMP servers, directs a very large amount of traffic to a single IP to form an efficient distributed attack.
You can confirm your server is affected by querying the server from the local command line, or from a separate computer's Linux or Mac command line (with the net-snmp package installed):
snmpwalk -v 2c -c public <server IP>
If the result of these commands is not “Timeout: No response from <server IP>” then your server allows queries that it should not.
If you have full management, our monitoring system needs SNMP but does not need the "public" community.
yum remove net-snmp
Debian, Ubuntu or Jumpbox:
apt-get remove snmpd
If you have full management, you should instead edit the file /etc/snmp/snmpd.conf and remove or comment (place a # before) the line that reads:
com2sec notConfigUser default public
service snmpd restart
If you are using SNMP for some purpose, please change the /etc/snmp/snmpd.conf to not expose the community "public" to the Internet. Use a random string that's at least 16 characters long. You can replace the community in the config file on the line described above by changing the word "public" to something else. If this is a switch or other network device, rather than a server, please disable the default "public" community setting for your switch and change the community name if you need to monitor the switch.
Please also note that this is not SMTP (an email service), it is SNMP (a monitoring service). Your server was not hacked by this activity, so unless you see further reports, the problem should be resolved with one of the actions indicated above.
For advice on how to adjust a server to prevent SNMP amplification, or any other questions about the topics discussed in this article, please visit our Help Desk or email us. SNMP consulting is covered under managed services.