The snmp protocol is a method of network attacks and a zahistu. SNMP security. DDoS SNMP Amplification Guard on Cisco Owned

Golovna / Zahist

ZMIST
INTRODUCTION 3
1. THEORETICALLY GROUNDING THE PROBLEMS OF SUBSEQUENT ATTACK METHODS ON THE SNMP PROTOCOL
1.1 SNMP 5 ATTACK METHODS NEEDED
1.2 SNMP PROTOCOL: DESCRIPTION, PURPOSE 7
2. ANALYSIS OF ATTACKS ON THE SNMP PROTOCOL AND METHOD OF PROTIDING
2.1 ATTACK TECHNIQUES ON THE SNMP PROTOCOL AND METHODS OF EARLIER 11
2.2 METHODS FOR ATTACKS ON THE SNMP PROTOCOL 15
VISNOVOK 20
LIST OF DZHEREL VICTORIES 21

Fragment for information

Baby 3 -Screen shape Utilities SoftPerfectNetworkScannerPatchesBarbers of rich framing outbuildings are divided into so-called patches, which are necessary when there are inconsistencies in the system. In this way, having shown in the merezhі outbuildings, oriented to SNMP, dozilno zv'yazati z virobniki tsikh outbuildings, schob z'yasuvati, chi rozrobili stench necessary patches. We will guide the algorithm for enabling the SNMP service in the Windows operating system: Select the Start menu - Control Panel - Administration - Services (div. small 4). Select SNMP service. When the service is started, click on the “Upload” button, and then select “Startup Type” - “Enabled”. navіt at vimknenomu SNMP.Fіltratsіya on vhodіFіltratsіya on vhodі ґruntuєtsya on nalashtuvannі mіzhmerezhevih ekranіv i marshrutizatorіv so dwellers stink vikonuvali vhіdnu fіltratsіyu portіv UDP 161 i 162. Tse permitted zapobіgti attacks, scho іnіtsіyuyutsya іz zovnіshnoї MEREZHI on vrazlivі pristroї in local lines. Other ports that support services associated with SNMP, including TCP and UDP ports 161, 162, 199, 391, 750, and 1993, can also include input filtering. , scho to go out of the fence. Filtering outgoing traffic on UDP ports 161 and 162 on the borders, you can take advantage of your system as a springboard for attack. merezhovoi attack) in the computer system or merezhu. Without IDS, the infrastructure of mesh security becomes unthinkable. Supplementing intermediary screens, which function on the basis of security rules, IDS monitors and guards against suspicious activity. The stench allows you to reveal the vigilantes who have penetrated the intermediary screen, and tell the administrator about it, which will take the necessary solution for keeping the safety. Intrusion detection methods do not guarantee the overall security of the system. As a result of the IDS selection, the following goals are achieved: the detection of a fencing attack or an intrusion; the weak systems for zabіgannya їх vikoristannya. In rich situations, the attacker sees the stage of preparation, for example, probes (scans) the border or tests it in another way, in order to reveal the system’s inconsistency; zdіysnennya documenting vіdomih threats; fastness for the yakіstyu administration from the point of view of security, zokrem, at the great and folding chains; otrimannya valuable information about the penetration, what was done, what was done to restore and correct the factor, what was done to the penetration; revealing the expansion of the attack zone from the point of expansion of the outer border (outer or internal attacks), which allows you to make the right decisions when placing the nodes of the border. To avenge the IDS savagery: the security system, which collects information about the subs, which can be extended to the safety of the security, or the system, which is protected; a subsystem of analysis, as it reveals suspected attacks; a collection, like zberіgaє the first subdivision and the results of the analysis; mi and IDS, the results of which were revealed by the subsystem for analyzing situations. It is obvious that the simplicity of the popular SNMP protocol can, in its own way, promote strife. Shards of SNMP are widely planted, and operation with different products can lead to fatal consequences. To effectively stop the SNMP protocol, follow the stop different ways zabіgannya attacks and be a complex system of defense. VISNOVOK Researched on the power security of the organization of fencing cooperation with the help of the SNMP protocol. In the robotic process, the peculiarity of the named protocol was revealed. possible problems yoga vikoristannya. To clarify the problem, statistical data has been cited, which confirms the high efficiency of the implementation of the attacks of the enemy. In addition, the theoretical part is to pass the information about the structure of the protocol, the scheme of drinking / drinking and the stage of taking the drinking off. term paper analysis of possible attacks on the SNMP protocol, among which you can see Dos attacks, buffer overflow attacks and format string inconsistencies. Obviously, there are more potentially possible threats, but at the same time, looking at them more deeply and more widely. to settle the conflicts and, nevertheless, a decision has been made about the yogo victorious, following the development of a security policy and reaching out to all principles. In this manner, it is possible to make wisps about the reach of marking that ceremony, appointed at the entrance. Russian Federation dated April 27, 2006 N 149-FZ About information, information technologies and protection of information List of specialized and scientific literature Blank-Edelman D. Perl for system administration, M .: symbol-Plus, 2009.- 478s. Borodakiy V.Yu. Practice and prospects for the creation of protected information and calculation gloom on the basis of MSS OGV / V.Yu. Borodakiy, A.Yu. Dobrodiev, P.A. Nashchokin // Actual problems of the development of technological systems of sovereign defense, special communication and special information security: VIII All-Russian International Scientific Conference: Materials and Dopovidі (Orel, February 13–14, 2013). - About 10 years. Part 4 / For general ed. V.V. Mizerova. - Orel: Academy of the FTS of Russia, 2013. Grishina N. V. Organization of an integrated system for the protection of information. - M.: Helios ARV, 2009. - 256 p., Douglas R. Mauro Fundamentals of SNMP, 2nd edition / Douglas R. Mauro, Kevin J. Schmidt - M.: Symbol-Plus, 2012.-725p. M.V. Computer systems. Wake up practice. For fakhivtsiv, St. Petersburg: St. Petersburg, 2003.-462s. Mulyukha V.A. Methods and methods of protection of computer information. Mіzhmerezhev ekranuvannya: Navchalny posіbnik / Mulyukha V.A., Novopashenny A.G., Podgursky Yu.Є. - St. Petersburg: Vidavnitstvo SPbGPU, 2010. - 91 p. Olifer V. G., Olifer N. P. Computer measures. Principles, technologies, protocols. - 4-those. - St. Petersburg: Peter, 2010. -902s. Switching and routing technologies for local computer networks: chief help/ Smirnova. St and in; ed. A.V. Proletarian. - M.: View of MDTU im. not. Bauman, 2013. - 389s. Flenov M. Linux of Hacker's eye, St. Petersburg: BHV-St. Petersburg, 2005. - 544 p. Khoriev P.V. Methods and methods of obtaining the protection of information in computer systems. - M.: Educational center "Academy", 2005. -205 p. Khoroshko V.A., Chekatkov A.A. Internet-dzherela IDS / IPS - Systems for detecting and preventing intrusions [Electronic resource] URL: http://netconfig.ru/server/ids-ips/. Analysis of Internet threats in 2014 roci. DDoS attacks. Website hacking. [Electronic resource]. URL: http://onsec.ru/resources/Internet%20threats%20in%202014.%20Overview%20by%20Qrator-Wallarm.pdfKolishchak A. Inconsistency of format row [Electronic resource]. URL: https://securityvulns.ru/articles/fsbug.aspFirst Mile, No. 04, 2013 [Electronic resource]. URL: http://www.lastmile.su/journal/article/3823 SNMP Standards Family [Electronic resource]. URL: https://ua.wikibooks.org/wiki/SNMP_Standards_Land Literature "CERT Advisory CA-2002-03: Multiple Vulnerabilities in Bagato Implementations of the Simple Network Management Protocol (SNMP)", 12 Feb. 2002, (current 11 March 2002)

LIST OF DZHEREL VICTORIES
Regulatory legal acts
1. Federal Law of the Russian Federation dated April 27, 2006 N 149-FZ About information, information technologies and protection of information
List of specialized and scientific literature
2. Blank-Edelman D. Perl for system administration, M: Plus symbol, 2009. - 478p.
3. Borodakiy V.Yu. Practice and prospects for the creation of protected information and calculation gloom on the basis of MSS OGV / V.Yu. Borodakiy, A.Yu. Dobrodiev, P.A. Nashchokin // Actual problems of the development of technological systems of sovereign defense, special communication and special information security: VIII All-Russian International Scientific Conference: Materials and Dopovidі (Orel, February 13–14, 2013). - About 10 years. Part 4 / For general ed. V.V. Mizerova. - Eagle: Academy of the FTS of Russia, 2013.
4. Grishina N. V. Organization of a complex system for the protection of information. - M: Helios ARV, 2009. - 256 s,
5. Douglas R. Mauro Fundamentals of SNMP, 2nd edition / Douglas R. Mauro, Kevin J. Schmidt - M.: Symbol-Plus, 2012.-725p.
6. Kulgin M.V. Computer systems. Wake up practice. For fakhivtsiv, St. Petersburg: Peter, 2003.-462p.
7. Mulyukha V.A. Methods and methods of protection of computer information. Mіzhmerezhevé ekranuvannya: Headmaster / Mulyukha V.A., Novopashenny A.G., Podgursky Yu.Є. - St. Petersburg: Vidavnitstvo SPbGPU, 2010. - 91 p.
8. Olifer V. G., Olifer N. P. Computer measures. Principles, technologies, protocols. - 4-those. - St. Petersburg: Peter, 2010. -902s.
9. Technologies of switching and routing in local computer networks: a guidebook / Smirnova. St and in; ed. A.V. Proletarian. - M.: View of MDTU im. not. Bauman, 2013. - 389s.
10. Flen M. Linux ochima Hacker, St. Petersburg: BHV-St. Petersburg, 2005. - 544 p.
11. Khoreev P.V. Methods and techniques for protecting information in computer systems. - M.: viewing center "Academy", 2005. -205 p.
12. Khoroshko V. A., Chekatkov A. A. Methods and methods of obtaining the protection of information, K .: Junior, 2003. - 504 p.
Internet-dzherela
13. IDS / IPS - Intrusion prevention detection systems [Electronic resource] URL: http://netconfig.ru/server/ids-ips/.
14. Analysis of Internet threats in 2014. DDoS attacks. Website hacking. [Electronic resource]. URL: http://onsec.ru/resources/Internet%20threats%20in%202014.%20Overview%20by%20Qrator-Wallarm.pdf
15. Kolishchak A. Variability of the format row [Electronic resource]. URL: https://securityvulns.ru/articles/fsbug.asp
16. First Mile, No. 04, 2013 [Electronic resource]. URL: http://www.lastmile.su/journal/article/3823
17. Family of SNMP standards [Electronic resource]. URL: https://ua.wikibooks.org/wiki /SNMP_Standards_Set
foreign literature
18. "CERT Advisory CA-2002-03: Multiple Vulnerabilities in Bagato Implementations of Simple Network Management Protocol (SNMP)", 12 Feb. 2002, (current 11 March 2002)

Placed on http:// www. all best. en/

an overview of the technique of tethering attacks on the tethering model of OSI and methods of countermeasures

INSTUP

Trojan virus attacks

Be it information, there are three main powers:

· Confidentiality.

· Tsіlіsnіst.

· Availability.

Explain the skin of these authorities.

Confidential information - tse vіdomostі, scho to be found in volodіnі, koristuvannі аbоr order аrеmіh fіzіchnyh аbo juridical osіb аnd poshiryuyutsya for їх bazhannyam vіdpovіdno up to yogo state of minds.

The integrity of information (the integrity of data) is a term in informatics and the theory of telecommunications, which means that the data is more, mind that the data was not changed during the victorious operation on them, whether it is a transfer, or a tax.

Availability of information - the state of information (resources in automated information system), for any subject, if they have access rights, they can implement them without interruption. Access rights: the right to read, change, copy, reduce information, and to create the right to change, quote, reduce resources.

Іsnuyut three main ways of zahistu іnformatsії, yakі raztashovanі in the order of їхної importance:

· Organizational methods and protection of information. Organizational protection of information is an organizational cob, so called the "core" of the global system of protection of confidential information of business. In view of the totality of the solution to the business enterprise and landlords of the organizational heads, the effectiveness of the functioning of the system is to be protected from information. Location is the role organіzatsіynogo Zahist Informácie in zagalnіy sistemі zahodіv, spryamovanih on Zahist konfіdentsіynoї Informácie pіdpriєmstva, viznachayutsya vinyatkovoyu vazhlivіstyu of acceptance for kerіvnitstvom svoєchasnih that vіrnih upravlіnskih rіshen of urahuvannyam nayavnih at Yogo rozporyadzhennі forces zasobіv, metodіv that sposobіv Zahist Informácie that on osnovі chinnogo regulatory methodical apparatus.

· Technical methods and protection of information. Qi methods allow presence at the outbuildings technical aids processing of information, special technical solutions, which will protect the control of information. I, moreover, methods of protection of information, so that the complexity of algorithms and programs that ensure the separation of access and the exclusion of unauthorized use of information.

Entry

This article is a logical continuation of the material "", in which the basic principles of the functioning of the protocol were given. Metoyu tsієї roboti
є clarification of the necessary entrances for the security of the overhead level of protection
SNMP. I would like to sing from the reader for those who are deeds
moments from the front material are repeated - it is necessary for
more take a look around given food. Information of a wild character here
will be presented to the minimum contract; for short material acceptance
raju read the first article.

threaten

Problems with the SNMP protocol began with the first version, if the mechanism
the zahist didn’t feel like that. Whether it’s a lucky moment, it’s easy to recognize passwords
listening to the measure. Ale, after a certain hour, another version appeared, in a yakіy,
dpovіdno up to the hour, if more serious
function zahistu. Zokrema, hashing for help MD5, encrypted by
DES and in. (Div. pershu article). At the current moment, the third version of SNMP, retailers
what is the main task of bacheling the security of the security. However, not all
so smoothly with the security of the third version.
There are 6 types of threats for SNMP:

Disclosure of information: information about the exchange of data between agents that
key station according to the method of choosing the value
Masquerading
Modifications: reinforcement of support for fictitious operations
Modifications to the potoci update
Analysis of merging traffic
Attacks in service.

Let's see, as it turns out, the most protected third version of SNMP in the world
against these types of attacks.

Attack on SNMPv3

Masquerading - the pardon is lost, the system
reviewing the packages
Modification - the protocol is reverified by the integrity for the help of MD5
Threat of encryption - crypto for help DES
Traffic analysis - protocol, as before
URASIMO
Vidmova in service - URAZHENNYA

From the same time, as it turned out, to create a 3rd version of the attack for certain types of attacks. AT
zokrema, ucd-snmp utility kit version 5.0.1, 5.0.3, 5.0.4.pre2, which
includes SNMP daemon, utilities for configuring and setting values
MIB, as well as other peculiarities in different ways to attack the enemy in
service. Razlivіst was found by Andrew Griffiths and announced
by iDEFENSE on July 2, 2002.
The solution to the problems of such a plan may be more regular updates
software security.

One of the most widespread problems is navit dosі є passwords
(community strings) for the lock. When you want to say what
locking settings MUST be changed. The solution is to serve as a retrieval of man pages for such files:
snmp.conf, snmp_config, snmpcmd
SNMP configuration and robot files. Navit for simple snake value according to
lock "public" to a folding password, the attacker can no longer
view information about your system for additional trivial utility
snmpwalk. Anonymous merezhevykh outbuildings (switches, WAN / LAN routers, modems, as well as
acts Operating systems) for locking on
activate SNMP and navigate from rw access(!). The legacy of such unbalance
it's easy to pass. Axis is a small list, for butts, attachments
passwords for locking:

3com Switch 3300 (3Com SuperStack II) - private
- Cray MatchBox router (MR-1110 MatchBox Router/FR 2.01) - private
- 3com RAS (HiPer Access Router Card) - public
- Prestige 128/128 Plus - public
- COLTSOHO 2.00.21 - private
- PRT BRI ISDN router - public
- CrossCom XL 2 - private
- WaiLAN Agate 700/800
- HPJ3245A HP Switch 800T - public
- ES-2810 FORE ES-2810, Version 2.20 - public
- Windows NT Version 4.0
- Windows 98 (not 95) - public
- Sun/SPARC Ultra 10 (Ultra-5_10) - private

By the way, on the 16th of July, a new one was published in the list of bugtraq
information about unauthorized access to AVAYA Cajun. SNMP community
[email protected]! allow access. Also, they were induced and undocumented
form entries diag/danger and manuf/xxyyzz. The solution to such problems will be the fencing of rw access, the fence of access
to extensions from activating SNMP calls. It is necessary to block access to
SNMP port for all third party computers. It's easy to finish it,
Finish hacking the typing of ipchains/iptables rules. Give me joy for nalashtuvannya
ipchains is difficult to finish, because it is necessary to know the topology of the local network, and
SNMP is not needed for home workstations.

For any system administrator, which may be on the right with data
protocol, the necessary programs, as if they were asking the robot with SNMP. AT
The cim link can be guessed by MRTG and SNMP::Monitor. On the idea of the author of the package
SNMP::Monitor, this program can transfer in pairs with MRTG (as
yourself, you can read it in the readme). You can configure SNMP::Monitor with
archived at packetstormsecurity.org. The axis is less active with її functions:

Launching a post-processing process
interfaces and keep logs to the data base
- nadannya graphic interface via www
- showing statistics
- enable data access control system
that in.

It is absolutely necessary to log in to the given SNMP service
unauthorized hosts and further analysis of logs. What do you want
distort the inconsistency of your merezhі, then snmpsniff will be a wicked program,
perekhoplyuvach traffic. You can get it from www.packetstormsecurity.org/sniffers/snmpsniff-1.0.tar.gz.
To check the strength of passwords, you can twist snmpbrute.c
є dosit with a swedish parser of passwords.

Otzhe, at this robot I, having tried the skills, it is possible to have food
secure SNMP robot. If I missed it, then I'll vouch for
hint. For comments, for example, we are forced to write
prodovzhennya.

WISNOVOK
The research is dedicated to the power security of the organization of networking interoperability for the additional SNMP protocol. In the process of work, the peculiarities of the named protocol and the possible problems of this experiment were revealed. To clarify the problem, statistical data has been cited, which confirms the high efficiency of the implementation of the attacks of the enemy. In addition, the theoretical part is to pass the information about the structure of the protocol, the scheme of drinking / drinking and the stage of taking the drinking off.
As part of the coursework, an analysis of possible attacks on the SNMP protocol was carried out, among which one can see Dos attacks, buffer overflow attacks, and format row inconsistency. Obviously, there are more potentially possible threats, but at the same time, looking at them more deeply and more widely. nya.
In order to encourage the system to defend the network between subscribers in the network, ways were examined to prevent attacks on the SNMP protocol and it was determined that it would be effective to block the complex of koshtiv.
On the basis of the analysis, it was revealed that the SNMP protocol could be conflicted and, nevertheless, a decision was made about this change, following the development of a security policy and achieving all of these principles.
In this manner, you can make visnovki about the reach of the mark and the completion of the task, appointed at the entrance

INSTUP
The current stream of development of information technologies is developing new ways to save money, processing and rebuilding data. In the form of traditional information carriers and the sight of servers in the company and private individuals step by step move to remote technologies implemented through the global Internet. Services in the Internet building become indispensable tools for the functioning of the current, dynamically developing, to which you can see e-mail; exchange of files, voice notifications of data with vikoristannya video-additions; development of powerful Web resources.
At the thought of rich fahіvtsіv, wide zastosuvannya tehnologii Іnternet vymagє pobudovi sistem efektivnіna adminіnya razrezhіmi podstroi, one of the tools that can become the SNMP protocol. Prote, the organization of management and monitoring of the fencing outbuildings through the whole protocol to be able to attack the elements of the fencing. In this way, the power of the technology to defeat the threat of threats to the light development of Internet services comes to the fore and outweighs the universal analysis. To this very topic, the topic is relevant.
Encourage the system to protect against attacks on the SNMP protocol by assigning power to rich authors, but there is no single thought about how to achieve SNMP security through the complexity of security. So, Flenov M., in his book "Linux of the Hacker's Eye", saw some shortcomings of this protocol and does not recommend it. Smirnova. V. In the main book “Switching and Routing Technologies in Local Computer Networks” he describes a variety of rich address schemes for data transmission and effective management of the networks for the help of the SNMP protocol, as well as the power supply for a secure shutdown. A closer look at the specialized literature and the Internet confirms the need to further power the secure logging to the SNMP protocol in order to make a decision about the validity of this quest. what decision become an analysis of possible attacks and the effectiveness of the methods of their attack.
Meta follow-up - to conduct a general analysis of possible attacks on the SNMP protocol and ways to prevent them.
To achieve the goal, the necessary achievement is low zavdan:
1. Conduct a literature review of the Internet-Jerell for the organization of secure networking cooperation based on the SNMP protocol.
2. Establish the need to eliminate methods of attacks on the SNMP protocol and methods of attacking them.
3. See the features of the management of the SNMP protocol.
4. Analyze the technique for the SNMP protocol.
5. Describe the methods of attacking the SNMP protocol.
Follow-up object – SNMP protocol.
The subject of the research is the methods of network attacks on the SNMP protocol and the ways to infect them.
Methods of follow-up: analysis, synthesis, generation of dzherel information.
The course work is composed of an entry, two divisions and a visnovkiv. The first division of assignments to the theoretical priming of the problem. Another part of the revenge analysis of possible attacks and ways to infect them

LIST OF DZHEREL VICTORIES
Regulatory legal acts
1. Federal Law of the Russian Federation dated April 27, 2006 N 149-FZ About information, information technologies and protection of information
List of specialized and scientific literature
2. Blank-Edelman D. Perl for system administration, M: Plus symbol, 2009. - 478p.
3. Borodakiy V.Yu. Practice and prospects for the creation of protected information and calculation gloom on the basis of MSS OGV / V.Yu. Borodakiy, A.Yu. Dobrodiev, P.A. Nashchokin // Actual problems of the development of technological systems of state protection, special communication and special information security: VIII All-Russian International Scientific Conference: Materials and Dopovidі (Orel, February 13-14, 2013). - about 10 years. Part 4 / For zag.ed. V.V. Mizerova. - Eagle: Akadi Miya FST Russia, 2013.
4. Grishina N. V. Organization of a complex system for the protection of information. - M: Helios ARV, 2009. - 256 s,
5. Douglas R. Mauro Fundamentals of SNMP, 2nd edition / Douglas R. Mauro, Kevin J. Schmidt - M.: Symbol-Plus, 2012.-725p.
6. Kulgin M.V. Computer systems. Wake up practice. For fakhivtsiv, St. Petersburg: Peter, 2003.-462p.
7. Mulyukha V.A. Methods and methods of protection of computer information. Mіzhmerezhevé ekranuvannya: Headmaster / Mulyukha V.A., Novopashenny A.G., Podgursky Yu.Є. - St. Petersburg: Vidavnitstvo SPbGPU, 2010. - 91 p.
8. Olifer V. G., Olifer N. P. Computer measures. Principles, technologies, protocols. - 4-those. - St. Petersburg: Peter, 2010. -902s.
9. Technologies of switching and routing in local computer networks: a guidebook / Smirnova. St and in; ed. A.V. Proletarian. - M.: View of MDTU im. not. Bauman, 2013. - 389p.
10. Flenov M. Linux by Hacker, St. Petersburg: BHV-St. Petersburg, 2005. - 544 p.
11. Khoreev P.V. Methods and techniques for protecting information in computer systems. - M: viewing center "Academy", 2005. -205 p.
12. Khoroshko V. A., Chekatkov A. A. Methods and methods of obtaining the protection of information, K .: Junior, 2003. - 504 p.
Internet-dzherela
13. IDS / IPS - Intrusion prevention detection systems [Electronic resource] URL: http://netconfig.ru/server/ids-ips/.
14. Analysis of Internet threats in 2014. DDoS attacks. Website hacking. [Electronic resource]. URL: http://onsec.ru/resources/Internet%20threats%20in%202014.%20Overview%20by%20Qrator-Wallarm.pdf
15. Kolishchak A. Variability of the format row [Electronic resource]. URL: https://securityvulns.ru/articles/fsbug.asp
16. First Mile, No. 04, 2013 [Electronic resource]. URL: http://www.lastmile.su/journal/article/3823
17. Family of SNMP standards [Electronic resource]. URL: https://ua.wikibooks.org/wiki /SNMP_Standards_Set
foreign literature
18. "CERT Advisory CA-2002-03: Multiple Vulnerabilities in Bagato Implementations of Simple Network Management Protocol (SNMP)", 12 Feb. 2002, (current 11 2002 March

In due course, with the editors of the journal, I publish my article "Defending DDoS by hand. Part 3. SNMP Amplification" from issue 164-165 (lime-serpen 2016) to the issue of the journal "System Administrator".

To raise your contribution to the defense of the all-world cyberspace DDoS , zovsіm not obov'yazkovo buy the road obladnannya chi service. Whether you are an administrator of a server accessible from the Internet, you can take a part in such a noble right without additional material contributions, vicorist, and only know that for a short time.

Let's take a look at DDoS-attacks of the "amplification" type with vikoristannya service SNMP.

SNMP amplification

The essence of the attack lies in the fact that the SNMP- request Razrobleni for automatization of tabular data retrieval while minimizing the number of packages to be corrected. BULK- began to drink effective tool held DDoS attacks in the hands of evildoers. Yak talk RFC3416, GetBulkRequest, Implementations in SNMP Version 2, Appointments for the ability to request a great deal of data, which are attacked, attacked, and misconfigured servers on the Internet.

How to set the maximum number of rows that are rotated in the tables 20000 and vice versa on the address of the incorrectly set server/attachment:

:~$ snmpbulkget -c public -v 2c -C r20000 192.168.10.129 1.3.6.1

seems to be something like this:

iso.3.6.1.2.1.1.1.0 = STRING: "SNMP4J-Agent - Windows 2003 - x86 - 5.2"

< 290 rows skipped>

iso.3.6.1.6.3.18.1.1.1.8.123.123.12.123.123.12.12.123.123.12.123.123.12 = No more variables left in this MIB View (It is past the end of the MIB)

When running tcpdump show the size of the rotated package:

21:41:18.185058 IP 192.168.10.128.39565 > 192.168.10.129.snmp: GetBulk(25) N=0 M=20000 .iso.org.dod.internet

21:41:18.603553 IP 192.168.10.129.snmp > 192.168.10.128.39565:

At the request, the size of the request is about 70 bytes, and the headers are resolved in the server, the input is about 10 kilobytes, which may be 150 times larger. The coefficient of strength is not fixed and can be taken either more (up to 1700 times), or less, depending on the type of OS and the parameters in the configuration of the add-on. Yakshcho pіd hour of shaping such a request vikoristovuvat pіdmіnu IP- address of the source to the address of the victim and the high intensity of the download to the random server DDoS attack ready.

Cause

The essence of the problem lies, as a rule, not in quirkiness, not in the adjusted number of values, which can be seen, on one GetBulkRequest, but in what matters SNMP community installed behind the lock: public-read-only otherwise, what else is worse, private - read-write. SNMP protocol versions 1 and 2 of the foundations for UDP, vikoristovuetsya for monitoring that management,and as an authentication parameter for access to the kerned possession of the vicorist value community, yak can but put only for reading ( read-only ) or with the possibility of writing ( read-write ). The most common in systems is the service activation hour SNMP the value for the lock is restoredpublic for read-only private for read-write. Learn how to abstract from the possibility of using an incorrectly configured server as a reflector to strengthen attacks SNMP, then the threat of taking away information about the server installed on the new firmware of that version is obvious, with a different valuepublic for locking up for read-only. Practically unlimited privileges access from the rights of the administrator to the annex is given read-write community private . Navitt so that you will not be forced to change, intensively drink according to the protocol SNMP you can find out more about the number of resources of the server, what to learn, what to add to the quality of their services.

Zahist

Specific for SNMP Recommendations on how to secure the security of the server, or on the edge, can be divided into the following directives:

1. Architecture: allowed the processing of requests only on interfaces that are inaccessible from untrusted networks.

2. Change community more important.

3. IP exchange address of key stations.

4. Feeding ID, available for withdrawal / change for SNMP.

5 . Minimization of chi vіdmova vіd wikoros community for reading and writing.

6. Switching to SNMP version 3 of the wikis additional parameters authentication and encryption.

7. SNMP Wiring, yakscho not vikoristovuєtsya.

How to vikonate qi diї on different operating systems?

At the configuration file of the service snmp adjust the following parameters:

agentAddress udp:10.0.0.1:161#IP-address, protocol is the port that acceptsSNMP

Yakscho Unix- the server is essentially a router and architecturally has a few interfaces, for security it is necessary to remove SNMP No more interface, deliveries from a trusted segment, but only from the Internet. Im'ya community for access set by the parameter rocommunity (read-only ) or rwcommunity (read-write), you can also set a password, access to which is allowed, that ID, available for robots community. For example, in order to allow monitoring systems from under 10.0.0.0/24 access to information about the interface ( OID 1.3.6.1.2.1.2 ), vicorist row access MaKe_It_SeCuRe With read-only rights, the configuration fragment looks like this:

rocommunity MaKe_It_SeCuRe10.0.0.0/24 .1.3.6.1.2.1.2

In okremi vipadkah vikoristannya raznomanіtnyh Unix- systems of visceral indications a number of possible modifications syntax for the layout of the variation of other parameters and the hierarchy structure of the components configuration file. A detailed description can be found by typing the command

man snmpd.conf

And yet, the task is to ensure that the security service is as quickly as possible snmpd, what up to what number of stitches on the wrong front, you can create backup copy snmpd.conf new configuration file community. On Debian you will look like this:

#cd< directory ssnmpd.conf>

# mv snmpd.conf snmpd.conf.backup

# echo rocommunity MaKe_It_SeCuRe10.0.0.0/24 > snmpd.conf

# /etc/init.d/snmpd restart

After access by SNMP 10.0.0.0/24 will be less to the server with the help of a new one community, at which all servers, for which it is not changed community on a new one, stop taking vіdpovіdі drink, like evildoers.

It will be safe to switch to victoria SNMPv3, which has the ability to vary the parameters of authentication. In addition, on the vіdmіnu vіd vіd version 1 ta 2c, SNMPv3 allows you to secure encrypted traffic between the monitoring system and the control system. For the creation of a koristuvach with the rights to read, authenticate and encrypt traffic, the configuration file snmpd.conf it is necessary to add:

createUser v3user SHA "some_AuThPaSs" AES some_privpass

authuser read v3user authpriv 1.3.6.1.2.1. 2

Vіdpovіdno, koristuvach v3user revokes read-only rights for review 1.3.6.1.2.1.2 for SNMP.

You can check the correctness of the configuration after restarting the service SNMP on the server 192.168.10.128 with the command that was run on the client:

$ snmpwalk -v 3 -A some_AuThPaSs -X some_privpass -a SHA -x AES -u v3user -l authPriv 192.168.10.128 1

In this case, regardless of those who rely on the whole tree, starting from 1 server, only 1.3.6.1.2.1 is allowed. 2 , as will be set in the configuration.

Have a look at SNMP v1/v2c on speed SNMPv3 it is also necessary to delete fragments of the configuration file from the configuration file, so that they do not bother SNMPv3.

How about SNMP for server monitoringdo not win, the most important decisions will be made to the package snmpd.

Cisco IOS daily possibility to choose an interface SNMP. The exchange is dependent on additional access lists ( access control list, ACL). Let's say, it will be allowed to use 10.0.0.0/24. Created ACL:

(config)#access-list 10 permit 10.0.0.0 0.0.0.255

which then zastosovuetsya to vіdpovіdnogo community for SNMP v1/v2c, this application has MaKe_It_SeCuRe with the right to read only:

(config)#snmp-server community MaKe_It_SeCuRe RO 10

Exchange up to SNMP OIDs stop for help view

(config)# snmp server view IFACES 1.3.6.1.2.1. 2 included

after what has been done view attached community:

(config)#snmp-server community MaKe_It_SeCuReview IFACES RO 10

In order to win SNMPv3 with the necessary exchanges(authentication and encryption, only reading, access from the subdimension 10.0.0. view IFACES) , it is necessary to create a group(SECURE) with access to reading only up to OID from view IFACES that necessary authentication with encryption, linking it to what was done earlier access-list 10 :

(config)#snmp-server group SECURE v3 priv readIFACESaccess 10

then add to the group physical record koristuvacha(v3user) by asking him passwords for authentication and encryption, as well as the encryption algorithm(in this vipadka AES128):

(config)#snmp server userv3userSECURE v3 auth sha Strong_Password priv aes 128 Priv_Password

SNMP you can hack for password recovery, and setting parameters in access behind the shortcuts for the security level can be matched with an easy-to-guess password for entering by SSH. We have described the recommendations in the article, we don’t just randomly defend against attacks on our network and servers, but inexcusably use our resources to attack others, and also minimize the number of posts for flashy headlines in the press “Russian hackers attacked ...”.

Also, it is possible to protect your server from unauthorized access to the SNMP protocol, to reduce the number of DDoS attacks of the SNMP amplification type and to minimize the participation of your infrastructure segment with them, you can do this with the help of the upcoming ones, which will not require additional financial contributions:

Ownership management is less than entrusted to the segment of the enterprise. Exchange for help linking the service to the main interface or for help access lists.

Change SNMP value per lock (public and private) on the vagkovgaduvani.

Exchange of chicks ID, available for withdrawal / change for SNMP.

Wikoristanya only SNMPv 3 of the zastosuvannyam additional parameters in authentication and encryption.

Vimknennya service SNMP z vydalennyam kofiguratsі - razі priynyattya prіshennya about povnu vіdmova vіd SNMP.

And so to break up the skin of the administrator of the servers available from the Internet, the digital world will get closer to perfection.

To raise your contribution to the defenders DDoS attacks type, zovsіm not obov'yazkovo kupuvat road obladnannya chi servis. Whether you are an administrator of a server accessible from the Internet, you can take the fate of such a noble right without additional material contributions, vicorista, and only know that for a short time.

This is how traffic looks during SNMP Amplification DDoS attacks.

DDOS attack SNMP Amplification

The essence of the attack lies in the fact that schob іnіtsіyuvati bagatorazovo zbіlshenu vіdpovіd on SNMP-request. In order to automate tabular data removal while minimizing the number of packets that can be managed, BULK-requests have become an effective tool for conducting DDoS attacks in the hands of attackers. Yak talk RFC3416, GetBulkRequest, implementations in SNMP version 2, assignments for the ability to request a great deal of data, which can be attacked by misconfiguring servers on the Internet.

How to set the maximum number of rows that are rotated in the tables 20000 and vice versa on the address of the incorrectly set server/attachment:

$ snmpbulkget -c public -v 2c -C r20000 192.168.10.129 ↵ 1.3.6.1

$ snmpbulkget -c public -v 2c -C r20000 192.168.10.129 ↵1.3.6.1

seems to be something like this:

iso.3.6.1.2.1.1.1.0 = STRING: "SNMP4J-Agent Windows 2003 x86 5.2"<пропущено 290 строк>iso.3.6.1.6.3.18.1.1.1.8.123.123.12.123.123.12.12.123.123.12 .123.123.12 = No more variables left in this MIB View (It is past the end of the

iso. 3.6.1.2.1.1.1.0 = STRING : "SNMP4J Agent Windows 2003 x86 5.2"

< пропущено290 строк>iso. 3.6.1.6.3.18.1.1.1.8.123.123.12.123.123.12.12.123.123.12 . 123.123.12 =

No more variables left in this MIB View (It is past the end of the MIB tree )

Whenever you run tcpdump, show the package size:

21:41:18.185058 IP 192.168.10.128.39565 > 192.168.10.129. snmp: GetBulk(25) N=0 M=20000 .iso.org.dod.internet 21:41:18.603553 IP 192.168.10.129.snmp>

21:41:18.185058 IP 192.168.10.128.39565 > 192.168.10.129.

snmp: GetBulk(25) N=0 M=20000. iso. org. dod. internet

21:41:18.603553 IP 192.168.10.129.snmp>

192.168.10.128.39565 : [len1468< asnlen10102 ]

At the request, the size of the request is about 70 bytes, and the headers are resolved in the server, the input is about 10 kilobytes, which may be 150 times larger. The coefficient of strength is not fixed and can be taken either more (up to 1700 times), or less, depending on the type of OS and the parameters in the configuration of the add-on. How much time is needed to form such a request to vikoristovuvaty the IP-address of the administrator at the address of the victim and the high intensity of the attack to the infuriating server, DDoS attack ready.

Cause of DDoS attacks

The essence of inconsistency is, as a rule, not in the established number of meanings, which are seen, for one GetBulkRequest, but in what matters SNMP community installed behind the lock: public-read-only otherwise, what else is worse, private - readwrite.

Protocol SNMP versions 1 and 2 bases on UDP, hacked for monitoring and control, and as an authentication parameter for access to the cached possession of the hacked value community, which can only be set for reading ( read-only) or writeable (r read-write). Most often, in systems for the activation hour, the SNMP service is set to a promotional value - public for read-only and private for read-write.

Now, if we abstract from the possibility of using an incorrectly configured server as a reflector for strengthening SNMP attacks, then the threat of removing information about the server, installing on a new firmware and other versions with a different value of public for locking is obvious read-only.

Practically unlimited privileges access from the rights of the administrator to the annex is given read-write community private. However, there will be no heavy changes, intensive requests for the SNMP protocol, which may affect the number of server resources, what to learn, what to use for the quality of services, what you hope for.

Defend against DDoS attacks type SNMP Amplification

General recommendations for controversy attacks BCP38 and RFC2827 the one described in the front.

Architecture: made it possible to process requests only on interfaces that are inaccessible from untrusted networks.
The change of suspіlstva is more important-guess.
Exchange IP-address of key stations.
Exchange of the OID key available for retrieval/change of SNMP.
Minimization of chi vіdmova vіd wikoros community for reading and writing.
Migration to SNMP version 3 for additional advanced parameters for authentication and encryption.
SNMP mitigation, as it is not vikoristovuetsya.

How to vikonati qi diї on different systems?

DDoS SNMP Amplification protection for Unix

The configuration file for the SNMP service is configured offensive parameters:

# IP addresses, protocol and port that accepts requests SNMP agentAddress udp:10.0.0.1:161

As a Unix server, in fact, is a router and may have some interfaces, for security it is necessary to disable only the interface accessible via SNMP, accessible from a trusted segment, and not from the Internet. Im'ya community for access it is set by the rocommunity parameter ( read-only) or rwcommunity ( read-write), you can also set a subdimension, access with which permission is allowed, and an OID box available for the robot assigned to the subdimension with the community row rights set.

For example, to allow monitoring systems from outside 10.0.0.0/24 access to information about the interface ( OID 1.3.6.1.2.1.2), vicorist row access MaKe_It_SeCuRe With read-only rights, the configuration fragment looks like this:

rocommunity MaKe_It_SeCuRe 10.0.0.0/24.1.3.6.1.2.1.2

In order to ensure that the security of the snmpd service is as secure as possible, which is up to the mark of the wrong front, you can create a backup copy of snmpd.conf, add a new configuration file to the environment according to the monitoring systems and change the community. Debian will look like this:

#cd<директория с snmpd.conf># mv snmpd.conf snmpd.conf.backup # echo rocommunity MaKe_It_SeCuRe 10.0.0.0/24 > snmpd.conf # /etc/init.d/snmpd restart

#cd<директория с snmpd.conf>

# mv snmpd.conf snmpd.conf.backup

# echo rocommunity MaKe_It_SeCuRe 10.0.0.0/24 > snmpd.conf # /etc/init.d/snmpd restart

The next SNMP access to the server will be less for the next 10.0.0.0/24 For the support of the new community, moreover, all servers, on which the community has not been changed to the new one, should stop accepting feedback on the drink, like evildoers.

It will be safe to switch to SNMPv3 instead, as it allows you to vary the parameters in authentication. In addition, on the vіdmіnu vіd vіd version 1 ta 2c SNMPv3 allows you to secure the encryption of traffic between the monitoring system and the possession that is being tested.

To create a koristuvach with the rights to read, authenticate and encrypt traffic from the configuration file snmpd.conf it is necessary to add:

createUser v3user SHA "some_AuThPaSs" AES some_privpass authuser read v3user authpriv 1.3.6.1.2.1.2

createUser v3user SHA "some_AuThPaSs" AES some_privpass

authuser read v3user authpriv 1.3.6.1.2.1.2

Vіdpovіdno, koristuvach v3user take away rights read-only for review 1.3.6.1.2.1.2 for SNMP.

You can check the correctness of the configuration after restarting the SNMP service on the server 192.168.10.128 with the command run on the client:

$ snmpwalk -v 3 -A some_AuThPaSs -X some_privpass -a SHA ↵ -x AES -u v3user -l authPriv 192.168.10.128 1

$ snmpwalk - v 3 - A some_AuThPaSs - X some_privpass - a SHA ↵- x AES - u v3user - l authPriv 192.168.10.128 1

If so, regardless of those who rely on the whole tree starting from 1, the server is no longer allowed. .3.6.1.2.1.2, which will be set in the configuration.

When you see SNMPv1/v2c to greed SNMPv3 it is also necessary to delete fragments of the configuration file from the configuration file, so that they do not bother SNMPv3.

Although SNMP for server monitoring is not victorious, the best solutions will be to delete the packet snmpd.

DDoS SNMP Amplification Guard on Cisco Owned

Cisco IOS has the ability to select an interface that can enable SNMP. The exchange is dependent on additional access lists ( access control list, ACL). Permissible, it will be permissible pіdsіti 10.0.0.0/24 . Create ACL:

(config)#access-list 10 permit 10.0.0.0 0.0.0.255

Exchange to SNMP OID sockets for additional view:

(config)#snmp-server view IFACES 1.3.6.1.2.1.2 included

In order to win SNMPv3 with the necessary exchanges (authentication and encryption, less reading, access from other 10.0.0.0/24 to the interface header specified in the IFACES view), you need to create a group ( SECURE) with access to read only up to OID h view IFACES that necessary authentication with encryption, linking it to what was done earlier access list 10:

(config)#snmp-server group SECURE v3 priv read IFACES ↵ access 10

Re-verification of SNMPv3 practice with further adjustments is carried out by the team.