DDoS Attack Threats | SNMP Reflection Threat Advisory | Akamai Presentation - PowerPoint PPT Presentation

View by Category
About This Presentation

DDoS Attack Threats | SNMP Reflection Threat Advisory | Akamai Presentation


| Many older SNMP devices have the ability to take public queries from the Internet enabled by default, allowing malicious actors to launch reflected DDoS attacks by directing SNMP messages at a chosen target. To stop these devices from participating in attacks, network administrators need to manually check for the presence of this protocol and turn off public access. Find out more about this DDoS threat in the full Akamai SNMP Threat Advisory, – PowerPoint PPT presentation

Number of Views:94
Slides: 11
Provided by: prolexickg
Category: Other
Tags: ddos | ddos_attack


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: DDoS Attack Threats | SNMP Reflection Threat Advisory | Akamai Presentation

SNMP Reflection DDoS Attacks
  • Highlights from a Prolexic DDoS Threat Advisory

SNMP Attacks on the Rise
  • Since April 11, 2014, Prolexic has observed a
    marked resurgence in the use of Simple Network
    Management Protocol (SNMP) reflection attacks
  • SNMP is a commonly-used protocol in many devices
    for the home and office
  • SNMP devices like printers, routers, servers,
    modems, and desktops can provide DDoS reflection
    and amplification for attackers

  • Although the latest version is more secure,
    devices more than about three years old use SNMP
    v2, which is openly accessible to public request
    by default
  • Protocol-based attacks rise and fall in
    popularity right now new SNMP reflection tools
    in the underground are driving a surge in
    popularity of this attack

SNMP Attack Statistics
SNMP Attacks in 2014
  • 14 DDoS campaigns using the protocol have been
    observed since April 11, 2014
  • As devices are discovered to be participating in
    attacks, their IP addresses are blacklisted by
    the Internet community, leading to smaller attack
  • However, malicious actors will continue to
    identify additional devices vulnerable to SNMP
  • The remaining vulnerable servers are continuing
    to make this attack dangerous

How SNMP Attacks Work
  • GetBulk Dumps many values stored on the device
  • IP addresses on a router, what kind of toner is
    in the printer, or similar data
  • The tool sends GetBulk requests to vulnerable
    SNMP-enabled devices, pretending to be the target
  • The device then sends the GetBulk information to
    the target

How SNMP Attacks Work (continued)
  • The resulting response can be greatly amplified
  • In one real attack, a single 37-byte request
    packet generated a 64,000-byte response split
    across 44 packets
  • This is an amplification factor of more than
    1,700 times
  • Any device configured to listen to SNMP v2
    requests could become a reflector in such an

Dont Be Part of an Attack Configure Your SNMP
Devices Properly
  • It is essential that network administrators help
    take down vulnerable devices
  • Scan for devices on your network that have the
    default public community string and limit public
  • Devices such as printers shouldnt be open to the
  • When possible, use SNMP v3

Threat Advisory NTP AMP DDoS toolkit
  • Download the threat advisory, Threat Advisory
    SNMP Reflection DDoS Attacks
  • This DDoS threat advisory includes
  • How to identify an attack from the SNMP
    Refelector DDoS tool
  • Analysis of the source code
  • Payload analysis
  • IDS Snort rule and attack signatures
  • Remediation instructions for owners of devices
    that support the SNMP v2 protocol

About Prolexic (now part of Akamai)
  • We have successfully stopped DDoS attacks for
    more than a decade
  • Our global DDoS mitigation network and 24/7
    security operations center (SOC) can stop even
    the largest attacks that exceed the capabilities
    of other DDoS mitigation service providers
About PowerShow.com