SNMP ‘GETBULK’ Denial of Service
SNMP GETBULK was introduced in SNMP version 2c and allows a client to request multiple records with a single command. The behavior and risk is very similar to NTP Mode 6 Vulnerabilities.
SNMP GETBULK Risk
The risk of GETBULK comes down to the simple principle that a small request can be used to cause a much larger responses. Although this behavior is by no means unique to SNMP and GETBULK, it is more problematic when using UDP.
UDP can be easily spoofed. And when many spoofed packets cause large responses, that can be dangerous.
SNMP ‘GETBULK’ Reflection DDoS
Some vulnerability scanners may compare request and response sizes to determine the risk of the vulnerability. It is not uncommon for SNMP agents to respond with 500-1000 percent difference in size.
The following command can be used to walk a target system and determine if GETBULK is supported:
snmpbulkwalk -v2c -c public 10.0.0.2
The following can be used as a proof of concept for amplification. Here we request the next 500 iterations from the OID
snmpbulkget -Cr500 -c public -v2c 10.0.0.2 220.127.116.11.18.104.22.168.0
We can confirm this with
tcpdump to show our request of 44 bytes, and a response of 1266 bytes:
21:28:34.267553 IP 10.0.0.1.40583 > 10.0.0.2.161: UDP, length 44 E..H.(@.@.W. ..+ ........4.!0*.....public....*..O.......0.0...+......... 21:28:34.289425 IP 10.0.0.2.161 > 10.0.0.1.40583: UDP, length 1266 E....p..@... [...]
Remediating SNMP GETBULK Vulnerabilities
Remember that the risk of this vulnerability is substantially higher on external network perimeters. On internal networks, it is acceptable not to remediate this issue. Two primary recommendations are given:
- Disable the SNMP service if not required.
- Restrict UDP port 161 at the network layer.
- Consult the product or system if the configuration allows GETBULK to be disabled. Most systems do not support this.