A Broadband Internet Technical Advisory Group Technical Working Group Report.
Please direct comments on the substance of the report to firstname.lastname@example.org.
A BITAG member and Internet Service Provider (ISP), Comcast, has observed large-scale Simple Network Management Protocol (SNMP) Reflected Amplification Distributed Denial of Service (DDoS) attacks. These attacks are significant and have been observed to result in tens of gigabits to over one hundred gigabits per second of SNMP traffic sent to attack targets from multiple broadband networks. These attacks have been hours long in duration, disruptive for attack targets, and very challenging for targets to mitigate. The conditions that make this attack possible exist on many types networks, regardless of access network technology (DOCSIS, DSL, fiber, etc.), and regardless of geographic location.
The general conditions making this possible include:
- Some networks do not perform ingress filtering, which makes it possible for users of those networks to spoof packets, making it appear that the packets originated elsewhere.
- Networks have hosts that are infected with malware, and are under the control of bot networks.
- Some home gateway devices (a.k.a. routers) ship with SNMP turned on by default, using a well-known community string such as “public.”
To conduct the attack, the following steps are taken by an attacker:
- Initiation: An attacker sends instructions to a bot network to conduct the attack. These instructions include the bots to use to distribute the attack, the home gateways to reflect and amplify the attack, and the IP address of the attack target.
- Distribution: Infected hosts participating in a bot network, which happen to be located in a network that cannot or has not taken sufficient steps to prevent spoofing, receive the attack instructions. Thus, one attacker distributes the attack activity to many individual hosts. Each of the multitude of bots sends a small SNMP query to home gateway devices that are listening for particular SNMP queries on their public Internet network interface. This query is forged to make it appear that it was sent from the victim’s IP address, so that all responses will be directed to the target rather than back to the bot network’s hosts.
- Reflection: Home gateways that were listening for SNMP queries, receive the forged queries from the bot network’s hosts. They then send an SNMP response to the target.
- Amplification: The size, in bytes, of the SNMP response is larger than the SNMP query sent by the bot network. So the bot network is able to amplify the amount of data directed at the attack target, compared to a smaller amount of data sent by the bot network.
Device makers as well as Internet Service Providers (ISPs) and Application Service Providers (ASPs) should be aware of this issue and may need to consider a range of potential network management or other responses. The recommendations of the BITAG include:
- End-user devices should not be configured with SNMP on by default.
- End-user devices should not be routinely configured with the “public” SNMP community string.
- ISPs, ASPs, and other network or systems administrators should not routinely use the “public” SNMP community string on an unsecured basis.
- Users should be allowed and encouraged to disable SNMP.
- ISPs should take reasonable steps to prevent address spoofing.
- ISPs may implement appropriately targeted filtering/blocking of SNMP traffic.
- ISPs should be transparent with respect to network management policies that may impact SNMP traffic.
- ISPs should provide mechanisms to re-enable SNMP on a case-by-case basis.
- ISPs and attack targets should be willing to share relevant and non-proprietary information related to SNMP-based attacks with appropriate communities.