Re: [Full-Disclosure] SNMP Broadcasts

From: Mohit Muthanna (
Date: 07/14/04

  • Next message: Thierry Carrez: "[ GLSA 200407-11 ] wv: Buffer overflow vulnerability"
    To: BillyBob <>
    Date: Wed, 14 Jul 2004 10:08:04 -0400

    > > Subject: [Full-Disclosure] SNMPBroadcasts
    > SNMP doesn't "broadcast"

    Sure it does. Most older "default" SNMP devices broadcast traps. This
    is so that any SNMP manager on the network can collect the traps for a
    specified SNMP community. This is also so that the SNMP enabled device
    can just be placed on the network and managed without any special

    Newer SNMP agents let you specify a management host to send traps to.

    > > For the past 12 hours my external IP has been bombarded with SNMP
    > "Bombarded"? Below you state it was only "several per second". Are you
    > on a dial connection?
    > > Broadcasts, I have sent complaints to my ISP and the ISP of the originating
    > > IP.
    > And both are likely laughing their asses off right about now.

    Why? Depending on the service provider configures the network and
    assigns IP address to customers, the switch can easily forward
    broadcast packets to all hosts on the subnetwork. This includes
    Windows LM broadcasts, SNMP broadcasts, or just any packet destined to
    a broadcast address. Have you noticed that for certain service
    providers, you can browse the windows/samba shares on your neighbours

    > > The attacking IP must have some sort of worm or automated script to go
    > > through all the port numbers as his remote port starts at 60001 and goes up
    > > to 64087 but it hits my local ports 1-highest port # (65535) if I let my
    > > logs record that much.

    You're (BillyBob) being port scanned. Not much you can do to stop the
    portscans. All you can do is be invisible to it. It's most likely a
    trojaned machine searching for more victims. Make sure you're behind a
    cable/dsl router (or have a good firewall in place) (or both). Keep up
    with all your software and firmware patches.

    Note that some ISPs deliberately port-scan customer machines to search
    for webservers, mailservers etc.

    > SNMP goes to ports 161 and 162, *only*.

    No... those are just the default ports for the stock agents. Sysedge
    (for example) uses 1691 for Get/Set requests.

    > > Could this be some kind of SNMP DoS as I get several/second ?

    I'll tell you what it could (likely) be:

    - An unconfigured SNMP agent on the network (on a Linux or Windows box maybe).
    - A cable/dsl router on the subnet that's spewing SNMP traps (I've
    seen this a lot).
    - Your service providers actual switch is misconfigured.

    I haven't heard of SNMP DoS's but hey... anythings possible.

    > I know I shouldn't be asking this, but... Do you know how to use
    > Ethereal?

    Good Call. It'll answer most of your questions.

    Mohit Muthanna, CISSP [mohit (at) muthanna (uhuh) com]
    "There are 10 types of people. Those who understand binary, and those
    who don't."
    Full-Disclosure - We believe in it.

  • Next message: Thierry Carrez: "[ GLSA 200407-11 ] wv: Buffer overflow vulnerability"