DDoS Attack Threats | SNMP Reflection Threat Advisory | Akamai Presentation

Published on March 2017 | Categories: Documents | Downloads: 25 | Comments: 0 | Views: 239
of 10
Download PDF   Embed   Report

Comments

Content


SNMP Reflection DDoS Attacks
Highlights from a Prolexic DDoS Threat Advisory
©2014 AKAMAI | FASTER FORWARD
TM
SNMP Attacks on the Rise
• Since April 11, 2014, Prolexic has observed a marked
resurgence in the use of Simple Network Management
Protocol (SNMP) reflection attacks
• SNMP is a commonly-used protocol in many devices for
the home and office
• SNMP devices like printers, routers, servers, modems,
and desktops can provide DDoS reflection and
amplification for attackers

©2014 AKAMAI | FASTER FORWARD
TM
Why SNMP?
• Although the latest version is more secure,
devices more than about three years old use
SNMP v2, which is openly accessible to public
request by default
• Protocol-based attacks rise and fall in popularity;
right now new SNMP reflection tools in the
underground are driving a surge in popularity of
this attack

©2014 AKAMAI | FASTER FORWARD
TM
SNMP Attack Statistics
©2014 AKAMAI | FASTER FORWARD
TM
SNMP Attacks in 2014
• 14 DDoS campaigns using the protocol have been
observed since April 11, 2014
• As devices are discovered to be participating in
attacks, their IP addresses are blacklisted by the
Internet community, leading to smaller attack sizes
• However, malicious actors will continue to identify
additional devices vulnerable to SNMP reflection
• The remaining vulnerable servers are continuing to
make this attack dangerous

©2014 AKAMAI | FASTER FORWARD
TM
How SNMP Attacks Work
• GetBulk: Dumps many values stored on the device –
• IP addresses on a router, what kind of toner is in
the printer, or similar data
• The tool sends GetBulk requests to vulnerable
SNMP-enabled devices, pretending to be the target
• The device then sends the GetBulk information to the
target

©2014 AKAMAI | FASTER FORWARD
TM
How SNMP Attacks Work (continued)
• The resulting response can be greatly
amplified
•In one real attack, a single 37-byte request packet
generated a 64,000-byte response split across 44
packets
•This is an amplification factor of more than 1,700
times
• Any device configured to listen to SNMP v2
requests could become a reflector in such an
attack

©2014 AKAMAI | FASTER FORWARD
TM
Don’t Be Part of an Attack: Configure Your SNMP
Devices Properly
• It is essential that network administrators help take
down vulnerable devices
• Scan for devices on your network that have the
default public community string and limit public
access
• Devices such as printers shouldn’t be open to the
Internet
• When possible, use SNMP v3

©2014 AKAMAI | FASTER FORWARD
TM
Threat Advisory: NTP – AMP DDoS toolkit
• Download the threat advisory, Threat Advisory:
SNMP Reflection DDoS Attacks
• This DDoS threat advisory includes:
•How to identify an attack from the SNMP Refelector
DDoS tool
•Analysis of the source code
•Payload analysis
•IDS Snort rule and attack signatures
•Remediation instructions for owners of devices that
support the SNMP v2 protocol


©2014 AKAMAI | FASTER FORWARD
TM
About Prolexic (now part of Akamai)
• We have successfully stopped DDoS attacks for more
than a decade
• Our global DDoS mitigation network and 24/7 security
operations center (SOC) can stop even the largest
attacks that exceed the capabilities of other DDoS
mitigation service providers

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close