Splash brute-force attacks aimed at easily picked up writeable snmp community
Good day to all,
At work, faced with an interesting surge in network activity on the Internet in recent days. I work in Cisco TAC, therefore, an article about it.
Namely, someone on the Internet launched a global scan of network devices for easily selected snmp community and, if successful, erases the routing table from the devices.
Obviously, this leads to a sudden termination of the correct operation of the device (most often it is border routers) and the opening of an excessive number of cases for technical support.
Of course, Cisco, as always, recommends carefully monitoring snmp, especially such a part as the community names to be recorded, use access lists and reminds that the design community is nothing more than a password, and it actually has to be complicated.
However, as a result of this attack, several striking moments emerged:
- the attack vector itself aimed at such a site provides unlimited possibilities for controlling devices with obvious ease of execution
- which further aggravates it - IOS devices do not log configuration changes via SNMP, which leads to completely incomprehensible causes of problems. This behavior will be corrected and a bug has already been introduced.
I would also like to emphasize that you absolutely should not be indignant and write about what the snmp community can keep open to the outside only an amateur, the author himself is in the know. But, dear friends, you would be surprised at how big, important and professional people suffered, continue to suffer and how many of them turned out.
Under the conditions when hundreds of devices have to be administered, something can be missed, so it still doesn’t hurt to check it again, and it is also possible for someone to understand what happened recently with its expensive and powerful border equipment.
')
Original on the Cisco blog:
blogs.cisco.com/security/snmp-spike-in-brute-force-attempts-recently-observed
At work, faced with an interesting surge in network activity on the Internet in recent days. I work in Cisco TAC, therefore, an article about it.
Namely, someone on the Internet launched a global scan of network devices for easily selected snmp community and, if successful, erases the routing table from the devices.
Obviously, this leads to a sudden termination of the correct operation of the device (most often it is border routers) and the opening of an excessive number of cases for technical support.
Of course, Cisco, as always, recommends carefully monitoring snmp, especially such a part as the community names to be recorded, use access lists and reminds that the design community is nothing more than a password, and it actually has to be complicated.
However, as a result of this attack, several striking moments emerged:
- the attack vector itself aimed at such a site provides unlimited possibilities for controlling devices with obvious ease of execution
- which further aggravates it - IOS devices do not log configuration changes via SNMP, which leads to completely incomprehensible causes of problems. This behavior will be corrected and a bug has already been introduced.
I would also like to emphasize that you absolutely should not be indignant and write about what the snmp community can keep open to the outside only an amateur, the author himself is in the know. But, dear friends, you would be surprised at how big, important and professional people suffered, continue to suffer and how many of them turned out.
Under the conditions when hundreds of devices have to be administered, something can be missed, so it still doesn’t hurt to check it again, and it is also possible for someone to understand what happened recently with its expensive and powerful border equipment.
')
Original on the Cisco blog:
blogs.cisco.com/security/snmp-spike-in-brute-force-attempts-recently-observed
Source: https://habr.com/ru/post/226993/
All Articles