next up previous
Next: HTTP Up: Filtering out reflector replies Previous: DNS


Another widely deployed UDP-based request/reply service is SNMP [CFSD90]. Sites that fail to block off-site access to SNMP will often provide a large number of possible reflectors, potentially much greater than the number of Web servers or DNS servers with recursion enabled.

However, this attack will be identifiable because it comes from the well-known SNMP port (161). In addition, it seems quite plausible that most victims can survive just fine if external SNMP traffic is filtered out and fails to reach them. On the other hand, this could potentially be a major problem for service providers who rely on SNMP to manage their network. However, they can likely allow replies from their own hosts to pass through the filter, assuming their hosts are numbered out of only a few network prefixes, and thus are easy to express as filter exceptions.

Another question regarding this attack is how many sites do in fact fail to block incoming SNMP requests. The concern is that many ``open'' environments such as educational institutes may fall into this category.

Summary: likely not a threat.

Vern Paxson