SNMP Reflection DDoS Attacks
The DDoS techniques have massively increased with the attackers becoming more skillful at working around the network security. A massive 300Gbps DDoS attack launched against Spamhaus website almost broke the Internet a year ago and also earlier this year, hackers have succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm CloudFlare, reaching more than 400Gbps at its peak of traffic.

Akamai's Prolexic Security Engineering and Response Team (PLXsert) issued a threat advisory on Thursday reporting a significant surge in DDoS attacks last month abusing the Simple Network Management Protocol (SNMP) interface in network devices.

Simple Network Management Protocol (SNMP) is a UDP-based protocol which is commonly known and often used to manage network devices. SNMP is typically used in devices such as printers, routers and firewalls that can be found in the home and enterprise environments as well.

Just as DNS amplification attacks, SNMP could also be used in Amplification attacks because a cyber criminal can send a small request from a spoofed IP address in order to sent a much larger response in return.

Over the past month, researchers have spotted 14 Distributed Denial-of-Service (DDoS) attack campaigns that have made use of SNMP amplified reflection attacks. The attacks targeted a number of different industries including consumer products, gaming, hosting, non-profits and software-as-a-service, mainly in the United States (49%) and China (18.49%).

The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex and so has become one of favorite weapon for the cyber criminals to temporarily suspend or crash the services of a host connected to the Internet.

"The use of specific types of protocol reflection attacks such as SNMP surge from time to time," said Stuart Scholly, the senior vice president and general manager of the Security Business Unit at Akamai. "Newly available SNMP reflection tools have fueled these attacks."

The attack only targets the devices that runs an older version of SNMP, i.e. version 2, which by default is open to the public Internet unless the feature is manually disabled. The latest version of SNMP, version 3 is more secure management protocol.

The cyber criminals made use of affective DDoS tools in an effort to automate the GetBulk requests against SNMP v2 that caused a large number of networked devices to send their entire stored data at once to a target in order to overwhelm its resources.

The attack is nothing but a distributed reflection and amplification (DrDoS) attack that allows an attacker to use a little skill and relatively small amount of resources in an attempt to create a larger data flood.

"Network administrators are encouraged to search for and secure SNMP v.2 devices," added Scholly. "The Internet community has been active in blacklisting the devices involved in recent DDoS attacks, but we also need network administrators to take the remediation steps described in the threat advisory. Network administrators can help prevent more devices from being found and used by malicious actors."

Since 2013, Hackers have adopted new tactics to boost the sizes of Distributed Denial of Service (DDoS) attack which is also known as Amplification Attack', leveraging the weakness in the UDP protocols. The most common is the (Domain Name System) DNS and (Network Time Protocol) NTP Reflection Denial of Service attack, but now cyber criminals have manage to use (Simple Network Management Protocol) SNMP to cause major damage.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.