Simple Network Management Protocol (SNMP) is a UDP service that runs on port 161/UDP. It is used for network management purposes and should be reachable only from known locations using secure channels. I reviewed my honeypot today for interesting connections during december 2019. Saw an increase of snmp queries with the following distribution: This is interesting as attackers are querying for the Community-Based Simple Network Management Protocol version 2 (SNMPv2c) instead of SNMPv2. It introduced GetBulkRequest command to gather large amount of data. SNMPv2c includes SNMPv2 without the SNMPv2 security model, using instead the simple community-based security scheme of SNMPv1. Our ISC data shows this port was also active during december with a small spike during the first week of 2020: Shodan report shows many devices connected to the internet with open SNMP port: And there are domains with an important number of devices with open SNMP port. Source is Shodan: We can conclude the following:
Do you have any other interesting findings to share with us? Please send them out using our contact form. Manuel Humberto Santander Pelaez |
Manuel Humberto Santander Pelaacuteez 195 Posts ISC Handler Jan 6th 2020 |
Thread locked Subscribe |
Jan 6th 2020 2 years ago |
Besides giving attackers easy info on your network, this is a major vector for DDoS amplification - up to a 1700 times amplification PER request!
|
Anonymous |
Quote |
Jan 6th 2020 2 years ago |
Over the new year, I installed a new networked printer from a name brand vendor at home. Checking its network posture was a hair-raising experience.
SNMP v1 and v2 enabled RW (!!) by default. TFTP (!!!) enabled by default. Lots of other fun and games, but those two are probably the most memorable of the many preinstalled vulnerabilities. |
Quadword 4 Posts |
Quote |
Jan 7th 2020 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!