The next distributed denial-of-service (DDoS) vector to be concerned about is SNMP (Simple Network Management Protocol) amplification attacks.
Speaking to IT Security Guru, Akamai security evangelist Martin McKeay said that this was the next DDoS attack vector he was worried about as it allows an attacker information to a log management system and, as many are not configured and pull in information, they could send information to any source.
“With DNS you look at a 20-50 amplification, with NTP it is 1-20 time amplification. But with SNMP to can look at 400-500 time amplification and there is a lot of information on servers that you can dump on a server, and the NTP protocol means you can send more services that ask for more information from NTP,” he said.
Corero Network Security chief executive Ashley Stephenson said that, with SNMP, theoretically you can request larger packets to be sent so technically this was true. But he said that you have to find enough vulnerable servers to manipulate. “DNS has some amplification techniques that you can leverage and you don’t often find servers with recursions exposed,” he said.
“The reason NTP become so popular is because there are millions of NTP servers on the internet that are not behind firewalls as they are doing their job and have had amplification up to 1,000 open, and it is the number of sources they can open. With SNMP once you get a hundred you are up and running with the attack but with the time you spent searching for server, it could be better spent looking for service bots.”
Darren Anstee, director of solutions architects at Arbor Networks, said that there are (unfortunately) quite a few protocols that can be used to amplify the size of DDoS attacks, with NTP and DNS being the most well known of these. “In fact, NTP reflection was probably responsible for the most concentrated burst of large Volumetric DDoS attacks ever seen on the Internet through February and March this year,” he said.
He acknowledged that SNMP is one of many protocols which can be used for amplification attacks and there are a lot of exploitable devices available to attackers, and the amplification factor for SNMP can be considerable (higher than DNS and comparable to NTP) if the attackers know what they are doing.
“SNMP reflection attacks are becoming more common at the moment, although we aren’t yet seeing them yet in anything like numbers we are seeing DNS and NTP reflection attacks, and there is scope for very large attacks to be generated; the largest we have seen so far this year though is at 18.6Gb/sec (much smaller than the large NTP and DNS reflection attacks we have seen).”
Danny McPherson, senior vice president and chief security officer at Verisign, said that time will tell how large a threat this vector is, but it is definitely something we are watching closely as well. “SNMP is another common UDP protocol used for network management that we will see targeted more and more for amplification attacks due to their availability – several types of network devices come with SNMP ‘on’ by default – and high amplification ability,” he said.
