At NetFort we keep talking about having a unified network visibility for both security and operations. The rationale for us is pretty simple; our already stressed customers have a reference point, a single pane of glass to monitor and troubleshoot any suspicious activity. It does not matter whether the activity is security or performance related. If users are reporting the ‘network is slow’ or an ISP notifies you of suspicious activity, you need that single reference point to actually see what is going or for network forensics, to see what happened and fast.
This visibility is especially important for organizations such as universities, stadiums, airports that, due to the nature of their business, need to operate open, high speed networks.
In a recent case, one of our customers was running a server that was hijacked and participating in an attack, generating large UDP responses to spoofed SNMP queries.
This ‘SNMP speaking’ device, was configured with the default SNMP community string ‘public’, easily guessed by a third party. A really good example of the risks associated with SNMP and why some organizations disable it entirely. The server was accessible from the public internet.
The attacker identified the server and guessed the SNMP community string. SNMP normally runs on the UDP protocol (and did in this case). UDP doesn’t require a session, so IP addresses and port numbers in a packet can be faked. The attacker fabricated a UDP SNMP query packet (a getbulk request) and used the victims IP address as the source IP address. All that was required was to edit the address, recompute the header checksum and transmit the packet.
The server duly received the packet, verified the checksum, generated the SNMP response and sent it to the victims IP address. Further, the attacker fabricated the source port number and inserted port 80, instead of the usual ephemeral port number. This meant that responses were targeted at the victim’s web services. As responses were large, this constituted a DOS attack on the victim. Our customer appeared to be the source of the attack. This type of attack is know as an amplification attack.
In this case, the customer was immediately alerted because LANGuardian monitoring had been installed and configured and had detected large amounts of egress SNMP traffic on a non standard port number.
Recently we’ve all been hearing a lot about APTs (Advanced Persistent Threats) but a recent surveys reports that 90% of successful attacks are as a result of the basics not being covered off, upgrade, patch, validate configurations, replace unsupported software, training and continuous monitoring.
If you do not continuously monitor so you can clearly see what is actually happening on your network, you will get that phone call or email soon….and it could be at the worst possible time.
Thanks to NetFort for the article.