SNMP service: still opened to the public and still queried by attackers

Published: 2020-01-06
Last Updated: 2020-01-06 21:05:27 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
2 comment(s)

Simple Network Management Protocol (SNMP) is a UDP service that runs on port 161/UDP. It is used for network management purposes and should be reachable only from known locations using secure channels.

I reviewed my honeypot today for interesting connections during december 2019. Saw an increase of snmp queries with the following distribution:

This is interesting as attackers are querying for the Community-Based Simple Network Management Protocol version 2 (SNMPv2c) instead of SNMPv2. It introduced GetBulkRequest command to gather large amount of data. SNMPv2c includes SNMPv2 without the SNMPv2 security model, using instead the simple community-based security scheme of SNMPv1.

Our ISC data shows this port was also active during december with a small spike during the first week of 2020:

Shodan report shows many devices connected to the internet with open SNMP port:

And there are domains with an important number of devices with open SNMP port. Source is Shodan:

We can conclude the following:

  • There are devices that still have SNMP open to the Internet and the attackers know it. They predominantly search for devices that respond under the SNMPv2c protocol.
  • You should not place devices on the Internet with open SNMP services. This is a very cheap way for an attacker to gather intelligence about your network and traffic.
  • Please always use secure protocols:
    • SNMPv1 send passwords in clear text. SNMPv2 is prone to password hashing attacks.
    • SNMPv1 and SNMPv2 are vulnerable to IP spoofing. None of them should be used. 
    • SNMPv3 is vulnerable to brute force and dictionary attacks. This is the current protocol version. To mitigate the vulnerabilities, you should use IPSec transport connections.

Do you have any other interesting findings to share with us? Please send them out using our contact form

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler

e-mail: msantand at isc dot sans dot org

2 comment(s)


Besides giving attackers easy info on your network, this is a major vector for DDoS amplification - up to a 1700 times amplification PER request!
Over the new year, I installed a new networked printer from a name brand vendor at home. Checking its network posture was a hair-raising experience.

SNMP v1 and v2 enabled RW (!!) by default.

TFTP (!!!) enabled by default.

Lots of other fun and games, but those two are probably the most memorable of the many preinstalled vulnerabilities.

Diary Archives