Too many organizations are ignoring the risk of SNMP abuse and leaving their SNMP ports open to the world. Simple Network Manage Protocol (SNMP) is one of our core networking building blocks. We – the community who build and run networks – use all types of networks. It is a powerful tool for monitoring, managing, and controlling devices. Yet, SNMP’s security is an afterthought, allowing risk that endangers the organization. We’ll focus on deploying Multi-Factor Authentication (MFA) while leaving the devices that manage the MFA with open and exploitable SNMP ports. 🙀
The many SNMP Security Risk
SNMP is a simple way for a threat actor to map and understand the risk. SNMP exposure on simple terms for the targeted network makes it easier for the attacker to understand and target resources. In the worst case, the attacker can gain access and use SNMP to map out the whole network, gain insight into lateral movement targets and gain control over the device.
SNMP is a gold mine for the miscreant who learns how to leverage it. Shadowserver’s long-term measurement of the SNMP Risk has millions of devices open to exploitation.
It is understandable to find both Russian Threat Actors (see the US NSA’s warning) and Chinese Threat Actors (see CISA’s warning) leveraging network security weakness to get into backbones. Here are some of the common exploitation of SNMP
- Direct Attack on the device. If SNMP is open to the Internet, the device is open to a direct DDoS attack. A low-level DDoS attack that is just enough to overload the device’s route processor will be as effective as a colossal bandwidth-intensive volumetric attack.
- Intelligence and Information Gathering. If SNMP is open to the Internet, then an SNMP probe can do an SNMP walk, explore the accessible MIBs, and then use this exposure to penetrate the network. All the device’s documentation is public, allowing the miscreant to examine the devices.
- Penetration into the network. SNMP is a powerful network intelligence tool. That is why SNMP was created, to provide detailed intelligence and management capabilities across the network. There are old-school penetration testing scripts that still work to use SNMP to find the details into other devices, then work laterally through the network. Some of these go back to 2600 Magazine articles from the mid-1990s. If these old SNMP penetration techniques worked in the ‘90, then they will still work today.
- Open SNMP is an Indicator of poor network security hygiene. Poor security hygiene means the rest of the network is an easier target. Be afraid if someone scans a network and finds SNMP available on the Internet. Internist exposed SNMP is an indication that the network’s administrators are not securing that network. Open SNMP is an indicator for the miscreant to continue to dig. Unsecured SNMP is an invitation to lots of other network exposures.
- DDoS Reflection. SNMP is an x6 DDoS amplification factor. One SNMP packet into the network will generate 6 packets out. So yes, SNMP is a DDoS security risk. But, we don’t see SNMP used in many DDoS reflection attacks. Why? Because it alerts the organization that their SNMP is exposed. Exposed SNMP is better leveraged to penetrate the network.
Monitoring the SNMP Risk to your Organization
Every organization should have scanning tools to ensure all your SNMP access complies with your security policy. The reality is that the vast majority of organizations do not have this scanning in place. Luckily, Shadowserver.org’s Daily Network Reports include scanning of your ASN, IPs, and Domains in the Open SNMP Report. This daily report identifies hosts with an openly accessible SNMP service running. It’s a Service Scan and is updated every 24 hours. You get a report that looks like the following:
This is an example where the vulnerable IPs and the hostnames are blocked out. Notice that system description details list out the software version. A threat actor can quickly look up the software version, find the appropriate vulnerability, and plan the attack.
Shadowserver’s Open SNMP Report probes the SNMP OID 188.8.131.52.184.108.40.206.0 (sysDescr) and if the host responds to that probe, the host is then probed for OID 220.127.116.11.18.104.22.168.0 (sysName). The analogous shell commands would be:
snmpget -c public -v 2c [ip] 22.214.171.124.126.96.36.199.0
snmpget -c public -v 2c [ip] 188.8.131.52.184.108.40.206.0
Shadowserver makes it easier for the organization, using the vast geomapping resources to locate the likely region, city, the SNMP version number, and other details.
How do you get these Daily Reports?
Shadowserver’s daily reports are the “first step” for any organization that is looking to minimize the risk to their attack surface. Think of their public benefit service as the first attack surface reporting. These reports are free to any organization who signs up @ Shadowserver: https://www.shadowserver.org/what-we-do/network-reporting/get-reports/
There is no gimmick, no “freemium,” and no gotchas. The Shadowserver Foundation is a nonprofit security organization working altruistically behind the scenes to make the Internet more secure for everyone.
Shadowserver has the reports delivered via Email or APIs (see Shadowserver API Documentation). The API option allows organizations to automate the Shadowserver Daily reports into the organization’s Key Performance Indicators (KPIs) for SNMP Security hygiene. If SNMP opens up because of a network change, the missed access list, it will show up in the Shadowserver Daily Reports. The APIs would alert, and the organization can detect and close up the exposure.
SNMP’s design does not help secure the devices. Most implementations in equipment pull from old, reliable, and solid SNMP open-source that carry a security design flaw. These implementations check the SNMP community first and, if a match, checks the SNMP access-list (ACL). Most security professionals do not know this. A packet will arrive and be processed by SNMP (the community check) before it gets to “is your IP allowed.” Security policies that think “the ACL check is first” do not realize a security hole and fail to deploy other SNMP access to limit who can use SNMP to monitor, manage, and control the device.
Not to worry, there are ways to work around these SNMP risks. Existing tools built into the network can lock down SNMP. Mindful security practitioners will use these same tools to turn SNMP into a “security tripwire” for Advanced Persistent Threat (APT) Threat Actors moving around inside the network.
Core SNMP Security Principles
Yes, turning off SNMP is always good advice. But, Murphy’s Law of Entropy dominates security operations. All it takes is a software patch to reset SNMP to the “default on” to have a security hole opened. Given this, it is best to assume SNMP is turned on everywhere in your network.
Murphy’s Law of Entropy & SNMP
You think you have SNMP turned off in most of your network. It is part of your configuration script. Then one Monday morning, you get a Shadowserver report that over 100 devices have SNMP on, with the “public” default community open to the Internet. WTF! You look at the weekend activities and find your network peers upgraded the network software to cover a new vulnerability. Of course, the software patch ignored the existing “no SNMP” config and turned on SNMP in the default mode.
Welcome to Murphy’s Law of Entropy!
In this example, the organization was getting the Shadowserver Daily Reports and using them. In most organizations, there will be no monitoring. The “vendor’s default” for SNMP will be activated. SNMP will be unknowingly exposed.
The key for SNMP defense is to expect entropy where layers of protection fail. Murphy’s Law says to expect entropy at the worst possible moment. In this case, it would be SNMP turned back on. People should not depend on “my SNMP is turned off” or “my SNMP is v3” as the core defensive technique.
Block SNMP Request from the Internet on the edge of your network
Start with a simple Infrastructure ACL (iACL). Deny the source addresses from any of our IPv4/IPv6 blocks, and then deny SNMP into your network.
Infrastructure ACLs are crucial to network security. They are applied to the edge of the network around key sections inside a network. Infrastructure ACLs are the classic “layered defense” approach to security. These ACLs are explicit and start with simple ACL policy rules and work through more explicit layer 3 and layer 4 policies. In the policy example in this illustration, all the “deny” policies are in the first steps, with the “incident reaction” in the middle and the specific “explicit permissions” at the very end. The explicit permissions include the allocated IPv4 and IPv6 blocks assigned to the organization. It ends with a “deny anything else.”
Egress iACLs used to Spot Violated SNMP.
Infrastructure ACLs are ingress (traffic coming into the network) and egress (traffic leaving your network. Often, the egress iACL is just used for anti-spoofing (preventing devices inside the network from being used to spoof IPs). But, the egress iACL can be used to explicitly stop SNMP. Explicit SNMP ACL denies statements providing a counter of how many hits. Those counters can then be used as an alarm for threat actors working to exploit SNMP.
Deploy Exploitable Port Filtering (EPF-ACLs)
Exploitable Port Filtering (EPF-ACLs) on the edges of your network has proven time and again one of the huge protections for large and small networks. For over two decades, large CSPs/ISPs have deployed Exploitable Port Filtering as an extension to their iACLs. Infrastructure ACLs (iACLs) focuses on the core network address space. An organization might have an IPv4 /20 for their network but only use a /24 for their core network infrastructure. EPF-ACLs cover the whole /20 and any downstream services. SNMP has been on the exploitable port filtering list for large ISPs and Carriers for over a decade (see the details in Filtering Exploitable Ports and Minimizing Risk from the Internet and from Your Customers – What are you doing to prepare for the next “scanning malware” and “Internet Worm?”)
Question: How will you know if some threat actor got into your network devices, turned on SNMP, and started to use SNMP to map the network? Egress iACLs with explicit SNMP entries are one way of finding unexpected SNMP activities that could be an indicator of intrusion.
Protecting the Router from SNMP Attack
Network Security requires that each device must secure itself. Do not depend on an “edge protection layer” to be effective. SNMP is part of the Management Plane of traffic inside a network device. Adding device “Management Plane” ACLs blocks unauthorized packets from getting to the SNMP process.
The only devices that should be talking SNMP are those network management packets that are authorized. As mentioned earlier, many SNMP implementations check the IP address after the packet gets to the SNMP process. That is really bad for network devices like routers and switches. It means the packet gets punted to the management place, goes across the backplane to the router processor, and forces work on the router processor.
Ask your network vendor if the “router/switch ACL” is executed in hardware! One of the key “ask before you buy” questions for a vendor is how their device protects itself from attacks. Many vendors put security as an “afterthought.” Their ACLs to protect the router are not in hardware (data plane) but in the control/management/signaling plane. Dropping packets with an ACL on the route processor is DANGEROUS! The packets must be dropped in the data plane before they are passed to the route processor.
Check with your vendor how they deploy ACLs in the network device to protect the device. Then test the ACL in the lab with a DDoS attack targeting SNMP on the device.
Finally, Configuring SNMP for Resiliency
Notice we get to specific SNMP security as the last part. These steps are 101 essentials to SNMP protection:
- If you don’t need SNMP, turn it off. Remember that SNMP is everywhere. You will find printers and thermostats supporting SNMP. It is tough to enforce turn-off SNMP around in the organization. People are constantly plugging new devices into the network. Every new device with poor SNMP defaults is another SNMP risk in the organization. Hence, internal SNMP scanning and monitoring are important to enforce “turn off SNMP when not being used.”
- SNMPv3 where possible. Ask vendors for SNMPv3 support. SNMPv3 has extra security functionality and requires newer code that might reverse the older model of checking the IP after the SNMP community.
- Configured SNMP for protections with hard-to-guess SNMP community strings. Remove the “default” communities.
- Scan your network for where SNMP is turned on. Shadowserver only reports on publicly accessible SNMP. For most organizations, SNMP will be behind network security. Think of a threat-actor who is inside your network using all the “public” SNMP to collect into and more effectively move laterally within your network.
At the very end – Monitor for SNMP Scans.
Monitor inside and outside your network for when SNMP gets scanned. Track the number of SNMP scans per day from the public Internet. Spikes in the SNMP daily scanning would be an indicator of interest. Deploy “canary” devices, Sinkholes, honeypots, and Netflow/IPFIX monitoring inside the network to track SNMP scanning in your network. Simple “watch for SNMP scans” can be a tripwire needed to spot APT and Ransomware threat actors inside your network.
References to help Motivate Action
Still not convinced SNMP requires special security attention? Here are some additional references, articles, and materials:
- Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices – April 20, 2018
- People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices – June 07, 2022
- Ethical hacking: SNMP recon – In this article, we will discuss the various methods of ethical hacking one could take to perform reconnaissance on the SNMP protocol. As you may know, SNMP reveals too much information about targets that might result in attackers compromising a target network.
- SNMP SWEEPING – SNMP Auxiliary Module for Metasploit – Continuing with our information gathering, let’s take a look at SNMP Sweeping. SNMP sweeps are often good at finding a ton of information about a specific system or actually compromising the remote device. If you can find a Cisco device running a private string for example, you can actually download the entire device configuration, modify it, and upload your own malicious config. Often the passwords themselves are level 7 encoded, which means they are trivial to decode and obtain the enable or login password for the specific device.
Are you looking for more practical, low-cost security Advice?
- You can sign up to the mailing list for updates here: Stay Connected with Senki’s Updates.
- Subscribe to Senki’s YOUTUBE Channel for videos on this and other security topics.
- Ask questions to Barry Greene – firstname.lastname@example.org
The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.