[69948] in North American Network Operators' Group
Re: snmp vuln
daemon@ATHENA.MIT.EDU (Saku Ytti)
Thu Apr 22 03:20:53 2004
Date: Thu, 22 Apr 2004 10:17:06 +0300
From: Saku Ytti <saku+nanog@ytti.fi>
To: nanog@merit.edu
In-Reply-To: <001a01c42832$794d4740$6401a8c0@alexh>
Errors-To: owner-nanog-outgoing@merit.edu
On (2004-04-21 23:24 -0700), Alexei Roudnev wrote:
> If you ever read SNMP specs, you can realize, that there is not any C or C++
> SNMP implementation without such problem. So, rule number 1 is _never
> expose SNMP to Internet, and be careful to filter out any inbound packets,
> forwarded to your SNMP ports.
Which makes me wonder, why in most implementations services listen in
each configured address. Provider might have lot of link networks, even
from customers demand from his link network. This makes filtering in
borders little less feasible. And for this particular attack two
way comminication is not needed, so SNMP with ACL is not enought to
mitigate this. With explicitly defined listen addresses, filtering in border
would be easy.
JunOS allows to set interfaces to SNMP, but according to netstat it
still listens in *.161.
--
++ytti
