SNMP DDoS Scans Spoof Google Public DNS Server
The SANS Internet Storm Center this afternoon reported SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic.
“The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center.
Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. In an update posted last night, Ullrich said the scans are sequential, indicating someone is conducting an Internet-wide scan looking for vulnerable routers and devices that accept certain SNMP commands.
“The attack uses the default ‘read/write’ community string of ‘private.’ SNMP uses this string as a password, and ‘private’ is a common default,” Ullrich said. “For read-only access, the common default is ‘public.’”
Ullrich explained that the attack tries to change configuration variables in the affected device, the TTL or Time To Live variable to 1 which he said prevents any future traffic leaving the gateway, and it also sets the Forwarding variable to 2, which shuts it off. Vulnerable configurations, Ullrich said, are likely not common.
“If this works, it would amount to a [DDoS] against the network used by the vulnerable router,” Ullrich said. “This could also just be a troll checking ‘what is happening if I send this?’”
Large-scale DDoS attacks rely on amplification or reflection techniques to amp up the amount of traffic directed at a target. DNS reflection attacks are a time-tested means of taking down networks with hackers taking advantage of the millions of open DNS resolvers on the Internet to get up to 100 to 1 amplification rates for every byte sent out. Earlier this year, home routers were targeted in DNS-based amplification attacks; more than five million were used during February alone as the starting point for DDoS attacks.
Also earlier this year, hackers found a soft spot in Network Time Protocol (NTP) servers that synch time for servers across the Internet. NTP-based DDoS attacks, some reaching 400 Gbps, were keeping critical services offline. However, a concerted patching effort has kept these attacks at bay and in June, NSFocus reported that of the 430,000 vulnerable NTP servers found in February, all but 17,000 had been patched.
Experts, however, warned that SNMP-based DDoS attacks could be the next major area of concern. Matthew Prince, CEO of CloudFlare, said in February that SNMP attacks could dwarf DNS and NTP.
“If you think NTP is bad, just wait for what’s next. SNMP has a theoretical 650x amplification factor,” Prince said. “We’ve already begun to see evidence attackers have begun to experiment with using it as a DDoS vector. Buckle up.”
SANS’ Ullrich, meanwhile, said he’s continuing to research this attack, and admins should be on the lookout for packets from the source IP 220.127.116.11, which is Google’s DNS server, with a target UDP port of 161.
“Just like other UDP based protocols (DNS and NTP), SNMP has some queries that lead to large responses and it can be used as an amplifier that way,” Ullrich said.