[nsp-sec] DNS and SNMP Reflection Attack Hosts
Joel L. Rosenblatt
joel at columbia.edu
Mon Jun 24 13:21:57 EDT 2013
Agree - but the printers are not owned by the University, then are
just plugged into our network - we are just an ISP :-)
Maybe HP and the other manufacturers could be convinced that this is a bad idea
Joel
Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
On Mon, Jun 24, 2013 at 1:14 PM, Smith, Donald
<Donald.Smith at centurylink.com> wrote:
> As designed snmp shouldn't be open to the internet with public as the
> community. That is a POOR design.
>
> Same for dns on customers gateways :(
>
>
>
> Having said that ack for ours (Qwest, savvis, embarq, CenturyTel...)
>
>
>
> Would a netflow report showing who is being attacked by these reflectors be
> valuable to the community?
>
>
>
> I may have to do one anyways to get timestamps as date is usually not good
> enough for our abuse staff to notify dyn ip customers:)
>
>
>
>
>
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith at centurylink.com
> ________________________________
> From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Tom
> Paseka [tom at cloudflare.com]
> Sent: Monday, June 24, 2013 10:44 AM
> To: Joel L. Rosenblatt
> Cc: nsp-security at puck.nether.net; Krista Hickey
> Subject: Re: [nsp-sec] DNS and SNMP Reflection Attack Hosts
>
> ----------- nsp-security Confidential --------
>
> Joel,
>
> On Mon, Jun 24, 2013 at 9:39 AM, Joel L. Rosenblatt
> <joel at columbia.edu>wrote:
>
>> ----------- nsp-security Confidential --------
>>
>>
>> Now, my question is - are these machines compromised or are they just
>> acting as designed
>>
>>
> With SNMP reflection - they're acting as designed. Someone is spoofing an
> IP address - then doing a SNMP get against the printers.
>
> You should lock down SNMP access to them.
>
> Cheers,
> Tom
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list