By Patrick Marshall

Blog archive
Network printers can become hosts for Distributed Reflection Denial of Service attacks

How hackers can turn the Internet of Things into a weapon

We are living in world of increasingly smart devices. Not really intelligent; just smart enough to be dangerous.

As more devices become IP-enabled, they contribute to the pool of things that can be recruited into botnets or other platforms used for distributed attacks. Distributing attacks make it more difficult to trace the source of the attack and also makes it easier to overwhelm a target. In the past year, distributed denial of service has become the attack of choice for activists and blackmailers.

Prolexic, a DDOS security company, has published a white paper on Distributed Reflection Denial of Service (DrDOS) attacks that focuses on a handful of protocols, including the Simple Network Management Protocol. SNMP is an application layer (Layer 7) protocol commonly used to manage devices with IP addresses.

“Unlike other DDOS and DrDOS attacks, SNMP attacks allow malicious actors to hijack unsecured network devices — such as routers, printers, cameras, sensors and other devices —  and use them as bots to attack third parties,” the report points out.

This is a concern not only because it increases the number of possible devices that can be compromised, but also because remote devices such as printers and sensors of every kind often are less likely to be properly managed and secured, leaving them open to exploit.

For public-sector agencies, this can include such devices as sensors used in weather observations, control valves at power plants, door locks in prisons, traffic signals and any number of other connected devices. A search engine such as Shodan can reveal those connected devices, many of which are completely without security,

SNMP uses the User Datagram Protocol, a stateless protocol that is subject to IP spoofing. A Reflection DOS attack using SNMP is a type of amplification attack, because an SNMP request generates a response that typically is at least three times larger. Boiled down to its basics, an attacker can port-scan a range of IP address to identify exploitable SNMP hosts. He sends an SNMP request to these hosts using the spoofed IP address of the target server, and the hosts’ replies saturate the target’s bandwidth, making it unavailable.

“The raw response size of the traffic is amplified significantly,” the report says. “This makes the SNMP reflection attack vector a powerful force.”

The best way to protect yourself from being shanghaied into such an attack is to identify all of the devices accessible on your network, whether or not they appear to be sensitive, and properly manage them. Prolexic offers a list of mitigations in its paper.

Remote management of and access to otherwise dumb devices can be a great convenience, but the trade-off is that it adds to the list of things that must be managed and secured.

Posted by William Jackson on May 03, 2013 at 9:39 AM


  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.