Researchers with Akamai Technologies have witnessed a significant uptick in Simple Network Management Protocol (SNMP) reflection attacks since April 11.
SNMP is typically used in devices such as printers, routers and firewalls that can be found both in the home and enterprise environments. According to Akamai’s Prolexic Security Engineering and Response Team (PLXsert), it is the devices that support SNMP v2 are most often used in the attacks.
“Until approximately three years ago, SNMP devices were manufacturing using SNMP v2 and were commonly delivered with the SNMP protocol openly accessible to the public by default,” according to the company’s advisory. “Devices using SNMP v3 are more secure. To stop these older devices from participating in attacks, network administrators need to check for the presence of this protocol and turn off public access.”
Since April 11, the researchers have observed 14 distributed denial-of-service (DDoS) campaigns that have made use of SNMP amplified reflection attacks. The attacks targeted a number of different industries, including gaming, hosting companies and non-profits. The main source countries have been the United States and China.
“The use of specific types of protocol reflection attacks such as SNMP surge from time to time,” said Stuart Scholly, senior vice president and general manager for the Security Business Unit at Akamai, in a statement. “Newly available SNMP reflection tools have fueled these attacks.”
According to Akamai, attackers appear to be using the tools to automate GetBulk requests. Through the use of GetBulk requests against SNMP v2, attackers can cause a large number of networked devices to send their stored data all at once to a target and overwhelm its resources. This kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic, according to the company.
“Network administrators are encouraged to search for and secure SNMP v.2 devices,” added Scholly. “The Internet community has been active in blacklisting the devices involved in recent DDoS attacks, but we also need network administrators to take the remediation steps described in the threat advisory. Network administrators can help prevent more devices from being found and used by malicious actors.”
The advisory can be downloaded here.
