Re: [Full-Disclosure] SNMP Broadcasts

From: Mohit Muthanna (mohit.muthanna_at_gmail.com)
Date: 07/14/04

  • Next message: Thierry Carrez: "[ GLSA 200407-11 ] wv: Buffer overflow vulnerability"
    To: BillyBob <billybobknob@hotmail.com>
    Date: Wed, 14 Jul 2004 10:08:04 -0400
    
    

    > > Subject: [Full-Disclosure] SNMPBroadcasts
    >
    > SNMP doesn't "broadcast"

    Sure it does. Most older "default" SNMP devices broadcast traps. This
    is so that any SNMP manager on the network can collect the traps for a
    specified SNMP community. This is also so that the SNMP enabled device
    can just be placed on the network and managed without any special
    configuration.

    Newer SNMP agents let you specify a management host to send traps to.

    > > For the past 12 hours my external IP has been bombarded with SNMP
    >
    > "Bombarded"? Below you state it was only "several per second". Are you
    > on a dial connection?
    >
    > > Broadcasts, I have sent complaints to my ISP and the ISP of the originating
    > > IP.
    >
    > And both are likely laughing their asses off right about now.

    Why? Depending on the service provider configures the network and
    assigns IP address to customers, the switch can easily forward
    broadcast packets to all hosts on the subnetwork. This includes
    Windows LM broadcasts, SNMP broadcasts, or just any packet destined to
    a broadcast address. Have you noticed that for certain service
    providers, you can browse the windows/samba shares on your neighbours
    machine?

    >
    > > The attacking IP must have some sort of worm or automated script to go
    > > through all the port numbers as his remote port starts at 60001 and goes up
    > > to 64087 but it hits my local ports 1-highest port # (65535) if I let my
    > > logs record that much.

    You're (BillyBob) being port scanned. Not much you can do to stop the
    portscans. All you can do is be invisible to it. It's most likely a
    trojaned machine searching for more victims. Make sure you're behind a
    cable/dsl router (or have a good firewall in place) (or both). Keep up
    with all your software and firmware patches.

    Note that some ISPs deliberately port-scan customer machines to search
    for webservers, mailservers etc.

    > SNMP goes to ports 161 and 162, *only*.

    No... those are just the default ports for the stock agents. Sysedge
    (for example) uses 1691 for Get/Set requests.

    > > Could this be some kind of SNMP DoS as I get several/second ?

    I'll tell you what it could (likely) be:

    - An unconfigured SNMP agent on the network (on a Linux or Windows box maybe).
    - A cable/dsl router on the subnet that's spewing SNMP traps (I've
    seen this a lot).
    - Your service providers actual switch is misconfigured.

    I haven't heard of SNMP DoS's but hey... anythings possible.

    > I know I shouldn't be asking this, but... Do you know how to use
    > Ethereal?

    Good Call. It'll answer most of your questions.

    --
    Mohit Muthanna, CISSP [mohit (at) muthanna (uhuh) com]
    "There are 10 types of people. Those who understand binary, and those
    who don't."
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Thierry Carrez: "[ GLSA 200407-11 ] wv: Buffer overflow vulnerability"

    Relevant Pages

    • Re: [Full-Disclosure] SNMP Broadcasts (fwd)
      ... > specified SNMP community. ... > can just be placed on the network and managed without any special ... > broadcast packets to all hosts on the subnetwork. ... This is a variant, and interestingly, that port is assigned to ...
      (Full-Disclosure)
    • win xp sp1 changes ICF settings/rules and/or default behavior for snmp packet processing on udp 162?
      ... i use linklogger to snag the logs being broadcast by ... to ICF, which was enabled on the xp box. ... sp1, all snmp packets broadcasted to udp 162 were dropped by the ...
      (Focus-Microsoft)
    • Broadcasting an SNMP GET - idSNMP?
      ... I need to broadcast an SNMP GET request onto the local subnet, ... The idSNMP component has a BroadcastEnabled property, and I can send the GET ...
      (alt.comp.lang.borland-delphi)
    • Re: what is this snort logged????
      ... the alert gives you all the information you need. ... devices running an snmp daemon on a standard port within a broadcast ... udp any any -> 255.255.255.255 161 you could change it to alert udp ...
      (comp.os.linux.security)
    • CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations
      ... Products from a very wide variety of vendors may be affected. ... Many other systems making use of SNMP may also be vulnerable but were ... Numerous vulnerabilities have been reported in multiple vendors' SNMP ... The Simple Network Management Protocol is a widely deployed ...
      (Cert)