Network Penetration Testing

SNMP ‘GETBULK’ Denial of Service

our services

SNMP GETBULK was introduced in SNMP version 2c and allows a client to request multiple records with a single command. The behavior and risk is very similar to NTP Mode 6 Vulnerabilities.


The risk of GETBULK comes down to the simple principle that a small request can be used to cause a much larger responses. Although this behavior is by no means unique to SNMP and GETBULK, it is more problematic when using UDP.

UDP can be easily spoofed. And when many spoofed packets cause large responses, that can be dangerous.

SNMP ‘GETBULK’ Reflection DDoS

Some vulnerability scanners may compare request and response sizes to determine the risk of the vulnerability. It is not uncommon for SNMP agents to respond with 500-1000 percent difference in size.

Pentesting SNMP

Two utilities, snmpbulkwalk and snmpbulkget are parts of the snmp package and can be used to confirm this issue.

The following command can be used to walk a target system and determine if GETBULK is supported:

snmpbulkwalk -v2c -c public

The following can be used as a proof of concept for amplification. Here we request the next 500 iterations from the OID

snmpbulkget -Cr500 -c public -v2c

We can confirm this with tcpdump to show our request of 44 bytes, and a response of 1266 bytes:

21:28:34.267553 IP > UDP, length 44
21:28:34.289425 IP > UDP, length 1266

Remediating SNMP GETBULK Vulnerabilities

Remember that the risk of this vulnerability is substantially higher on external network perimeters. On internal networks, it is acceptable not to remediate this issue. Two primary recommendations are given:

  1. Disable the SNMP service if not required.
  2. Restrict UDP port 161 at the network layer.
  3. Consult the product or system if the configuration allows GETBULK to be disabled. Most systems do not support this.
  • Application
  • Network
  • Mobile
  • AWS