[nsp-sec] DNS and SNMP Reflection Attack Hosts
Smith, Donald
Donald.Smith at CenturyLink.com
Mon Jun 24 13:14:06 EDT 2013
As designed snmp shouldn't be open to the internet with public as the community. That is a POOR design.
Same for dns on customers gateways :(
Having said that ack for ours (Qwest, savvis, embarq, CenturyTel...)
Would a netflow report showing who is being attacked by these reflectors be valuable to the community?
I may have to do one anyways to get timestamps as date is usually not good enough for our abuse staff to notify dyn ip customers:)
(coffee != sleep) & (!coffee == sleep)
Donald.Smith at centurylink.com<mailto:Donald.Smith at centurylink.com>
________________________________
From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Tom Paseka [tom at cloudflare.com]
Sent: Monday, June 24, 2013 10:44 AM
To: Joel L. Rosenblatt
Cc: nsp-security at puck.nether.net; Krista Hickey
Subject: Re: [nsp-sec] DNS and SNMP Reflection Attack Hosts
----------- nsp-security Confidential --------
Joel,
On Mon, Jun 24, 2013 at 9:39 AM, Joel L. Rosenblatt <joel at columbia.edu>wrote:
> ----------- nsp-security Confidential --------
>
>
> Now, my question is - are these machines compromised or are they just
> acting as designed
>
>
With SNMP reflection - they're acting as designed. Someone is spoofing an
IP address - then doing a SNMP get against the printers.
You should lock down SNMP access to them.
Cheers,
Tom
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list