lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040714115508.I16982@ubzr.zsa.bet>
From: measl at mfn.org (J.A. Terranson)
Subject: SNMP Broadcasts (fwd)

On Wed, 14 Jul 2004, Mohit Muthanna wrote:

> > > Subject: [Full-Disclosure] SNMPBroadcasts
> >
> > SNMP doesn't "broadcast"
>
> Sure it does. Most older "default" SNMP devices broadcast traps. This
> is so that any SNMP manager on the network can collect the traps for a
> specified SNMP community. This is also so that the SNMP enabled device
> can just be placed on the network and managed without any special
> configuration.

I have never seen such behaviour, even having worked with some incredibly
old gear.  Nevertheless, a quick google shows that this does occur
(interestingly, all the references I found were for newer, rather than
older, devices).

Point acknowledged and conceded - I was wrong on this point.


> Newer SNMP agents let you specify a management host to send traps to.

*All* agents should let you so specify.

> > > Broadcasts, I have sent complaints to my ISP and the ISP of the originating
> > > IP.
> >
> > And both are likely laughing their asses off right about now.
>
> Why?

Because he clearly states above that this traffic is *not* originating
locally ("my ISP and the ISP of the originating").  This being SNMP
traffic, ostensibly sent to a broadcast address, it is not going to
traverse the intermediary routers.

> Depending on the service provider configures the network and
> assigns IP address to customers, the switch can easily forward
> broadcast packets to all hosts on the subnetwork.

Within the same provider, *maybe*.  Not very likely, but at least
*theoretically* possible.  But this is not the case, as seen above.

> This includes
> Windows LM broadcasts, SNMP broadcasts, or just any packet destined to
> a broadcast address. Have you noticed that for certain service
> providers, you can browse the windows/samba shares on your neighbours
> machine?

No, I haven't.  But them I'm spoiled too: I've been on dedicated lines
since '97 :-)


> > > The attacking IP must have some sort of worm or automated script to go
> > > through all the port numbers as his remote port starts at 60001 and goes up
> > > to 64087 but it hits my local ports 1-highest port # (65535) if I let my
> > > logs record that much.
>
> You're (BillyBob) being port scanned.

Precisely!  This is not, repeat not "being bombarded with SNMP".  Nor is
it traffic to a broadcast address.

> Not much you can do to stop the
> portscans.

Like hell there isn't.  F-I-R-E-W-A-L-L.


> > SNMP goes to ports 161 and 162, *only*.
>
> No... those are just the default ports for the stock agents. Sysedge
> (for example) uses 1691 for Get/Set requests.

This is not, *technically* SNMP, as it is not using it's assigned ports.
This is a variant, and interestingly, that port is assigned to

	empire-empuma   1691/tcp    empire-empuma
	empire-empuma   1691/udp    empire-empuma

Unless Sysedge is the decendant of "empire-empuma", it doesn't belong
there either.

> > > Could this be some kind of SNMP DoS as I get several/second ?
>
> I'll tell you what it could (likely) be:
>
> - An unconfigured SNMP agent on the network (on a Linux or Windows box maybe).

More specific: a misconfigured agent ont the LOCAL network segment.


> - Your service providers actual switch is misconfigured.

Not at all likely.


> I haven't heard of SNMP DoS's but hey... anythings possible.

I have, and have seen them, but that's not relevent here, as this guy's
entire post made obvious that SNMP was not involved.


> > I know I shouldn't be asking this, but...  Do you know how to use
> > Ethereal?
>
> Good Call. It'll answer most of your questions.

Unfortunately, the odds of this kind of newbie being able to successfully
utilize it are slim.  Still, if he is going to ask for help with odd
packets, he must be able to document them, and this is the standard way to
do so.

-- 
Yours,

J.A. Terranson
sysadmin@....org

  "...justice is a duty towards those whom you love and those whom you do
  not.  And people's rights will not be harmed if the opponent speaks out
  about them."      Osama Bin Laden
	- - -

  "There aught to be limits to freedom!"    George Bush
	- - -

Which one scares you more?


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ