Re: [Full-Disclosure] SNMP Broadcasts
From: Mohit Muthanna (mohit.muthanna_at_gmail.com)
To: BillyBob <firstname.lastname@example.org> Date: Wed, 14 Jul 2004 10:08:04 -0400
> > Subject: [Full-Disclosure] SNMPBroadcasts
> SNMP doesn't "broadcast"
Sure it does. Most older "default" SNMP devices broadcast traps. This
is so that any SNMP manager on the network can collect the traps for a
specified SNMP community. This is also so that the SNMP enabled device
can just be placed on the network and managed without any special
Newer SNMP agents let you specify a management host to send traps to.
> > For the past 12 hours my external IP has been bombarded with SNMP
> "Bombarded"? Below you state it was only "several per second". Are you
> on a dial connection?
> > Broadcasts, I have sent complaints to my ISP and the ISP of the originating
> > IP.
> And both are likely laughing their asses off right about now.
Why? Depending on the service provider configures the network and
assigns IP address to customers, the switch can easily forward
broadcast packets to all hosts on the subnetwork. This includes
Windows LM broadcasts, SNMP broadcasts, or just any packet destined to
a broadcast address. Have you noticed that for certain service
providers, you can browse the windows/samba shares on your neighbours
> > The attacking IP must have some sort of worm or automated script to go
> > through all the port numbers as his remote port starts at 60001 and goes up
> > to 64087 but it hits my local ports 1-highest port # (65535) if I let my
> > logs record that much.
You're (BillyBob) being port scanned. Not much you can do to stop the
portscans. All you can do is be invisible to it. It's most likely a
trojaned machine searching for more victims. Make sure you're behind a
cable/dsl router (or have a good firewall in place) (or both). Keep up
with all your software and firmware patches.
Note that some ISPs deliberately port-scan customer machines to search
for webservers, mailservers etc.
> SNMP goes to ports 161 and 162, *only*.
No... those are just the default ports for the stock agents. Sysedge
(for example) uses 1691 for Get/Set requests.
> > Could this be some kind of SNMP DoS as I get several/second ?
I'll tell you what it could (likely) be:
- An unconfigured SNMP agent on the network (on a Linux or Windows box maybe).
- A cable/dsl router on the subnet that's spewing SNMP traps (I've
seen this a lot).
- Your service providers actual switch is misconfigured.
I haven't heard of SNMP DoS's but hey... anythings possible.
> I know I shouldn't be asking this, but... Do you know how to use
Good Call. It'll answer most of your questions.
-- Mohit Muthanna, CISSP [mohit (at) muthanna (uhuh) com] "There are 10 types of people. Those who understand binary, and those who don't." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html