SNMP DDoS Attacks Spike

  /     /     /  
Publicated : 22/11/2024   Category : security


SNMP DDoS Attacks Spike


Akamai issues threat advisory on attack campaign that uses Team Poison-developed DDoS toolkit.



No botnet necessary: Yet another flavor of distributed denial-of-service (DDoS) attacks that doesnt require infecting PCs is on the rise.
Akamais Prolexic Security Engineering and Response Team (PLXsert) today issued a threat advisory warning of a spike in DDoS attacks abusing the Simple Network Management Protocol (SNMP) interface in network devices such as routers, switches, firewalls, and printers.
PLXsert has spotted 14 SNMP DDoS attack campaigns over the past month, targeting various industries including consumer products, gaming, hosting, nonprofits, and software-as-a-service, mainly in the US (49.9%) and China (18.49%). The attackers used a tool thats available online and was developed by the infamous hacker group Team Poison.
This latest wave of attacks targets devices running an older version of SNMP, version 2, which by default is open to the public Internet unless that feature is manually disabled. SNMP version 3 is a more secure version of the management protocol, which is used to store device information such as IP address or even the type of toner used on a printer.
Through the use of GetBulk requests against SNMP v2, malicious actors can cause a large number of networked devices to send their stored data all at once to a target in an attempt to overwhelm the resources of the target, PLXsert says in the advisory. This kind of DDoS attack, called a distributed reflection and amplification (DrDoS) attack, allows attackers to use a relatively small amount of their own resources to create a massive amount of malicious traffic.
The attacks are using the Team Poison-built tool to automate the GetBulk requests. They then use the IP address of the organization they are targeting as the spoofed source of the requests. The attacker then sets off a bulk request for SNMP devices. These actions will lead to a flood of SNMP GetResponse data sent from the reflectors to the target. The target will see this inflow of data as coming from the victim devices queried by the attacker, the advisory says, and the attackers actual IP address is hidden.
David Fernandez, director of the PLXsert team, says this reflection technique, as with NTP reflection attacks, is popular because its a way to maximize connections without a botnet, and its cheaper to perform. They can perform campaigns without infections, Fernandez says. Unfortunately, the attackers are victims, such as the duped devices responding to the targeted organizations network.
These are pretty massive attacks, he says. SNMP has a high amplification factor.
The attacks are more than mayhem: Increasingly, DDoS attacks such as these are being used as a smokescreen to divert from a real more deadly attack, he says. Fernandez declined to speculate on the motivation behind these specific attacks.
The use of specific types of protocol reflection attacks such as SNMP surge from time to time, said Stuart Scholly, senior vice president and general manager of Akamais Security Business Unit, in a statement. Newly available SNMP reflection tools have fueled these attacks.
The full Akamai PLXsert threat advisory is available
here
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
SNMP DDoS Attacks Spike