Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: SNMP Broadcasts (fwd)
From: "J.A. Terranson" <measl () mfn org>
Date: Wed, 14 Jul 2004 11:55:24 -0500 (CDT)


On Wed, 14 Jul 2004, Mohit Muthanna wrote:

Subject: [Full-disclosure] SNMPBroadcasts

SNMP doesn't "broadcast"

Sure it does. Most older "default" SNMP devices broadcast traps. This
is so that any SNMP manager on the network can collect the traps for a
specified SNMP community. This is also so that the SNMP enabled device
can just be placed on the network and managed without any special
configuration.

I have never seen such behaviour, even having worked with some incredibly
old gear.  Nevertheless, a quick google shows that this does occur
(interestingly, all the references I found were for newer, rather than
older, devices).

Point acknowledged and conceded - I was wrong on this point.


Newer SNMP agents let you specify a management host to send traps to.

*All* agents should let you so specify.

Broadcasts, I have sent complaints to my ISP and the ISP of the originating
IP.

And both are likely laughing their asses off right about now.

Why?

Because he clearly states above that this traffic is *not* originating
locally ("my ISP and the ISP of the originating").  This being SNMP
traffic, ostensibly sent to a broadcast address, it is not going to
traverse the intermediary routers.

Depending on the service provider configures the network and
assigns IP address to customers, the switch can easily forward
broadcast packets to all hosts on the subnetwork.

Within the same provider, *maybe*.  Not very likely, but at least
*theoretically* possible.  But this is not the case, as seen above.

This includes
Windows LM broadcasts, SNMP broadcasts, or just any packet destined to
a broadcast address. Have you noticed that for certain service
providers, you can browse the windows/samba shares on your neighbours
machine?

No, I haven't.  But them I'm spoiled too: I've been on dedicated lines
since '97 :-)


The attacking IP must have some sort of worm or automated script to go
through all the port numbers as his remote port starts at 60001 and goes up
to 64087 but it hits my local ports 1-highest port # (65535) if I let my
logs record that much.

You're (BillyBob) being port scanned.

Precisely!  This is not, repeat not "being bombarded with SNMP".  Nor is
it traffic to a broadcast address.

Not much you can do to stop the
portscans.

Like hell there isn't.  F-I-R-E-W-A-L-L.


SNMP goes to ports 161 and 162, *only*.

No... those are just the default ports for the stock agents. Sysedge
(for example) uses 1691 for Get/Set requests.

This is not, *technically* SNMP, as it is not using it's assigned ports.
This is a variant, and interestingly, that port is assigned to

        empire-empuma   1691/tcp    empire-empuma
        empire-empuma   1691/udp    empire-empuma

Unless Sysedge is the decendant of "empire-empuma", it doesn't belong
there either.

Could this be some kind of SNMP DoS as I get several/second ?

I'll tell you what it could (likely) be:

- An unconfigured SNMP agent on the network (on a Linux or Windows box maybe).

More specific: a misconfigured agent ont the LOCAL network segment.


- Your service providers actual switch is misconfigured.

Not at all likely.


I haven't heard of SNMP DoS's but hey... anythings possible.

I have, and have seen them, but that's not relevent here, as this guy's
entire post made obvious that SNMP was not involved.


I know I shouldn't be asking this, but...  Do you know how to use
Ethereal?

Good Call. It'll answer most of your questions.

Unfortunately, the odds of this kind of newbie being able to successfully
utilize it are slim.  Still, if he is going to ask for help with odd
packets, he must be able to document them, and this is the standard way to
do so.

-- 
Yours,

J.A. Terranson
sysadmin () mfn org

  "...justice is a duty towards those whom you love and those whom you do
  not.  And people's rights will not be harmed if the opponent speaks out
  about them."      Osama Bin Laden
        - - -

  "There aught to be limits to freedom!"    George Bush
        - - -

Which one scares you more?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Re: SNMP Broadcasts (fwd) J.A. Terranson (Jul 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault