SNMP Reflection/Amplification

What is an SNMP Reflection/Amplification Attack

An SNMP reflection is a type of Distributed Denial of Service (DDoS) attack that is reminiscent of earlier generations of DNS amplification attacks.

Instead of Domain Name Servers (DNS), SNMP reflection attacks use the Simple Network Management Protocol (SNMP) - a common network management protocol used for configuring and collecting information from network devices like servers, hubs, switches, routers and printers.

SNMP reflection attacks can generate attack volumes of hundreds of gigabits per second, which can be directed at attack targets from multiple broadband networks. Attacks are sometimes hours in duration, are highly-disruptive to attack targets, and can be very challenging to mitigate.

Attack Description

SNMP reflection, like other reflection attacks, involves eliciting a flood of responses to a single spoofed IP address. During an SNMP reflection attack, the perpetrator sends out a large number of SNMP queries with a forged IP address (the victim’s) to numerous connected devices that, in turn, reply to that forged address. The attack volume grows as more and more devices continue to reply, until the target network is brought down under the collective volume of these SNMP responses.

Reflection attacks are even more dangerous when amplified. “Amplification” refers to eliciting an asymmetrical server response that is significantly larger than the original request sent. With amplification an SNMP reflection attack can produce much higher traffic volumes, even from a relatively small input stream, ultimately turning into a much more effective and more dangerous denial of service threat.

The amplification factor of a SNMP reflection attack be as high as x600 or even x1700, according to some of the most recent reports of attack tools that abuse the GetBulk SNMP operation.

Methods of Mitigation

SNMP reflection is a volumetric DDoS threat which aims to clog the target’s network pipes. As such, it can be countered by overprovisioning of network resources that will allow the target infrastructure to withstand the attack.

NTP Amplification attack - 180Gbps and 50MppsIncapsula protects against a volumetric DDoS attack: 180Gbps and 50 million packets per second

In scenarios where the targeted infrastructure is expected to handle legitimate SNMP responses, the mitigation process should also rely on ingress/egress packet filtering. For example, a network operator may elect to limit access to a given SNMP server, making it accessible solely from a narrow range of IP addresses. This will, however, still require the network to be able to handle the overall incoming packet flow.

Incapsula DDoS protection leverages Anycast technology to balance the attack load across its global network of high-powered scrubbing servers, where traffic undergoes a process of Deep Packet Inspection (DIP) that filters our malicious DDoS traffic.

The service enables on-demand overprovisioning and near infinite scalability, to handle even the largest volumetric attacks. Moreover, Incapsula DDoS protection can be instantly deployed on top of any network infrastructure via a BGP announcement, which makes Incapsula the recipient of all incoming traffic.

Once deployed, Incapsula's proxy position ensures that DDoS traffic is filtered outside of the client's network, while all clean traffic is forwarded to its end-destination through a secure GRE tunnel.

Learn more about Incapsula DDoS Protection services.