[nsp-sec] comcast?
Rob Thomas
robt at cymru.com
Tue Dec 20 22:34:59 EST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi again, team.
>> guessing this is more snmp reflective dos... and like CPE/modems
>> bouncing back 'sys.Descr.0' or the like :(
>
> We're working on determining that now.
This is a preliminary analysis that is being sanity checked by our own
John Kristoff. Take this with a grain of salt and any mistakes are my own.
We see the attackers using SNMP v2 and counting on a community string of
"public" (no quotes). Neither is surprising.
I believe they are using SNMP GETBULK to facilitate the attack. You can
read more about SNMP GETBULK here:
<http://www.webnms.com/snmp/help/snmpapi/snmpv3/snmp_operations/snmp_getbulk.html>
"In other words, the SNMP GETBULK operation does a simple GETNEXT
operation for the first N variable bindings in the request and does M
GETNEXT operation (continuous) for each of the remaining R variable
bindings in the request list..."
The packets have a Non-Repeaters (N) value of 0, a variable bindings (R)
of 20039, and a Max-Repetitions (R) of 2250. The end result is, I
believe, a significant and impressive level of amplification.
More as we have it.
Thanks!
Rob.
- --
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iQCVAwUBTvFT41kX3QAo5sgJAQLlaAQAg3XVJwDWZ/2nvjrAlklbdCydY5qCesap
H+oSJx05dZglgGbjE3UqvIYWdk0AnjWn2TyL0ZRUowyIHZk4hog9nuLcJWRl6h87
ThhYHuUHi86JP3HXjItU8QrFSkh47qiMi/CCc4XplBLwyNwv1AtHmQ2wpI1DdcSG
TLikrLS7IOk=
=Wifi
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list