The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex, and, according to security experts, the next DDoS vector to be concerned about is SNMP (Simple Network Management Protocol) amplification attacks.
Yesterday afternoon, the SANS Internet Storm Center reported SNMP scans spoofed from Google’s public recursive DNS server searching for vulnerable routers and other devices that support the protocol with DDoS traffic and are opened to the public Internet.
Simple Network Management Protocol (SNMP) is a UDP-based protocol designed to allow the monitoring of network-attached devices by querying information about their configuration. SNMP-enabled devices with such configurations can be found both in home and business environments and is typically used in devices such as printers, switches, firewalls and routers.
If the attack is successful, it tries to modify the configuration variables in the affected device, the TTL (Time To Live) variable is set to 1 which, according to Ullrich, “would make it impossible for the gateway to connect to other systems that are not on the same link-layer network.” It also sets the Forwarding variable to 2, which turns off IP forwarding.
For more detailed info click here to view the entire threat post by Ullrich.