New Wave DDoS Attacks

Monday, September 22, 2014 @ 09:09 AM gHale

The next distributed denial of service (DDoS) attack vector to worry about is SNMP (Simple Network Management Protocol) amplification attacks, researchers said.

That warning came from the SANS Internet Storm Center (ISC), which reported SNMP scans spoofed from Google’s public recursive DNS server searching for vulnerable routers and other devices that support the protocol with DDoS traffic and opened to the Internet.

Oil & Gas Firm Attacked
Middle East Petrochem Firms Targeted
APT: In Action for Six Years
IoT Devices Vulnerable to Attacks: Report

“We are receiving some reports about SNMP scans that claim to originate from (Google’s public recursive DNS server),” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center in a post. “This is likely part of an attempt to launch a DDoS against Google by using SNMP as an amplifier/reflector.”

Simple Network Management Protocol (SNMP) is a UDP-based protocol designed to allow the monitoring of network-attached devices by querying information about their configuration. SNMP-enabled devices with such configurations are in home and business environments and typically sees use in devices such as printers, switches, firewalls and routers.

The ISC is investigating the magnitude of SNMP attacks, and discovered few packets that were targeting default passwords used by SNMP.

The attack uses the default “read-write” community string of “private.” SNMP command is actually a “set” command that uses this default string as a password, and “private” is a common by-default password, Ullrich said.

If the attack is successful, it tries to modify the configuration variables in the affected device.
Ullrich will move on with his research, but he did say systems administrators should look for packets from the source IP, which is Google’s public recursive DNS server, with a target UDP port of 161.

Large-scale DDoS attacks used misconfigured DNS (Domain Name System) and NTP (Network Time Protocol) servers for amplification or reflection, in order to hike traffic at the targeted victim.

Leave a Reply

You must be logged in to post a comment.