June 20, 2014 at 17:30A surge of brute-force attacks aimed at easily selectable snmp community records
Good afternoon to everyone, I have
come across an interesting surge in network activity on the Internet in recent days. I work in Cisco TAC, therefore, an article about it.
Namely, someone on the Internet launched a global scan of network devices for easily selectable snmp community records that are writable and, if successful, erases the routing table from the devices.
Obviously, this leads to a sudden cessation of the correct operation of the device (most often these are border routers) and the opening of an excessive number of cases for technical support.
Of course, Cisco, as always, recommends careful monitoring of snmp, especially for such a part as community names that are writable, use access lists, and it reminds us that community by design is nothing more than a password, and it should actually be complicated.
Nevertheless, as a result of this attack, several striking moments were revealed:
- the attack vector directed at such a site itself gives unlimited possibilities for device management with obvious ease of execution
- which makes it even worse - iOS devices do not log configuration changes via SNMP, which leads to to completely incomprehensible reasons for the problems. This behavior will be fixed and a bug has already been started on this subject.
I would also like to emphasize that you should not be indignant at all and write about keeping the snmp community open outside only by an amateur, the author himself is aware of it. But, dear friends, you would be surprised how big, important and professional people have suffered, continue to suffer, and how many of them have turned out.
In the conditions when you have to administer hundreds of devices, something can be missed, so it still won’t hurt to check again, and it might also help someone understand what has happened recently with its expensive and powerful border equipment.
Original at the Cisco Blog:
blogs.cisco.com/security/snmp-spike-in-brute-force-attempts-recently-observed
come across an interesting surge in network activity on the Internet in recent days. I work in Cisco TAC, therefore, an article about it.
Namely, someone on the Internet launched a global scan of network devices for easily selectable snmp community records that are writable and, if successful, erases the routing table from the devices.
Obviously, this leads to a sudden cessation of the correct operation of the device (most often these are border routers) and the opening of an excessive number of cases for technical support.
Of course, Cisco, as always, recommends careful monitoring of snmp, especially for such a part as community names that are writable, use access lists, and it reminds us that community by design is nothing more than a password, and it should actually be complicated.
Nevertheless, as a result of this attack, several striking moments were revealed:
- the attack vector directed at such a site itself gives unlimited possibilities for device management with obvious ease of execution
- which makes it even worse - iOS devices do not log configuration changes via SNMP, which leads to to completely incomprehensible reasons for the problems. This behavior will be fixed and a bug has already been started on this subject.
I would also like to emphasize that you should not be indignant at all and write about keeping the snmp community open outside only by an amateur, the author himself is aware of it. But, dear friends, you would be surprised how big, important and professional people have suffered, continue to suffer, and how many of them have turned out.
In the conditions when you have to administer hundreds of devices, something can be missed, so it still won’t hurt to check again, and it might also help someone understand what has happened recently with its expensive and powerful border equipment.
Original at the Cisco Blog:
blogs.cisco.com/security/snmp-spike-in-brute-force-attempts-recently-observed