The Simple Network Management Protocol (SNMP) is a networking protocol for device management and monitoring.

Problem

Openly accessible SNMP servers using the default 'public' community can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if an SNMP server is openly accessible from the Internet, you can use the 'snmpget' tool:

$ snmpget -c public -v 2c 192.168.45.67 1.3.6.1.2.1.1.1.0

An openly accessible SNMP server will return a 'System Description' string like this:

iso.3.6.1.2.1.1.1.0 =

STRING: "Linux easy.box 2.6.32.32 #1 Fri Jun 12 11:16:35 CST 2015 mips"

Otherwise, snmpget will run into a timeout:

Timeout: No Response from 192.168.45.67.

Solution

Configure a 'private' community with mandatory authentication instead of using the default 'public' community. Restrict access to the SNMP server to trusted clients in the server's configuration and/or by blocking incoming connections to port 161/udp on the firewall.

Further information

Wikipedia: Simple Network Management Protocol