What is an 'Open SNMP Server'?

Simple Network Management Protocol (SNMP) is a popular protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network.

Why would this be bad?

Open SNMP Servers can be used to collect privileged information from the system or even to write new 'settings' to the system if not correctly configured.

In addition running an open (UDP) service is not bad on its own and it is mostly a required dependancy when installing a system. Unfortunately, hackers have also found this feature useful in performing a special type of DDoS attack called a 'Amplification Attack'.

The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.

That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.

But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet "from" a forged source IP address and have the server (or servers) send large replies to the victim.

Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet.

Recommended action

Tips to resolve this matter

Windows

Linux

Edit the SNMP configuration file, which is useally located at: /etc/snmp/snmpd.conf

Change/Modify line(s) as follows:

Find the following Line:

com2sec notConfigUser  default       public
Replace with (make sure you replace 192.168.0.0/24 with your network/subnet) the following lines:
com2sec local     localhost           public
com2sec mynetwork 192.168.0.0/24      public

Scroll down a bit and change :

Find Lines:

group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser

Replace with:

group MyRWGroup v1         local
group MyRWGroup v2c        local
group MyRWGroup usm        local
group MyROGroup v1         mynetwork
group MyROGroup v2c        mynetwork
group MyROGroup usm        mynetwork

Again scroll down a bit and locate the following line:

Find line:

view    systemview     included      system

Replace with:

view all    included  .1                               80

Again scroll down a bit and change the following line:

Find line:

access  notConfigGroup ""      any       noauth    exact  systemview none none

Replace with:

access MyROGroup ""      any       noauth    exact  all    none   none
access MyRWGroup "" any noauth exact all all none

Scroll down a bit and change the following lines:

Find lines:

syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root  (configure /etc/snmp/snmp.local.conf)
Replace with (make sure you supply appropriate values), for example:
syslocation Linux (RH3_UP2), Home Linux Router.
syscontact YourNameHere <you@example.com>

restart your snmp server and test it

Getting more information