CyberEye

Blog archive
Network printers can become hosts for Distributed Reflection Denial of Service attacks

How hackers can turn the Internet of Things into a weapon

We are living in world of increasingly smart devices. Not really intelligent; just smart enough to be dangerous.

As more devices become IP-enabled, they contribute to the pool of things that can be recruited into botnets or other platforms used for distributed attacks. Distributing attacks make it more difficult to trace the source of the attack and also makes it easier to overwhelm a target. In the past year, distributed denial of service has become the attack of choice for activists and blackmailers.

Prolexic, a DDOS security company, has published a white paper on Distributed Reflection Denial of Service (DrDOS) attacks that focuses on a handful of protocols, including the Simple Network Management Protocol. SNMP is an application layer (Layer 7) protocol commonly used to manage devices with IP addresses.

“Unlike other DDOS and DrDOS attacks, SNMP attacks allow malicious actors to hijack unsecured network devices — such as routers, printers, cameras, sensors and other devices —  and use them as bots to attack third parties,” the report points out.

This is a concern not only because it increases the number of possible devices that can be compromised, but also because remote devices such as printers and sensors of every kind often are less likely to be properly managed and secured, leaving them open to exploit.

For public-sector agencies, this can include such devices as sensors used in weather observations, control valves at power plants, door locks in prisons, traffic signals and any number of other connected devices. A search engine such as Shodan can reveal those connected devices, many of which are completely without security,

SNMP uses the User Datagram Protocol, a stateless protocol that is subject to IP spoofing. A Reflection DOS attack using SNMP is a type of amplification attack, because an SNMP request generates a response that typically is at least three times larger. Boiled down to its basics, an attacker can port-scan a range of IP address to identify exploitable SNMP hosts. He sends an SNMP request to these hosts using the spoofed IP address of the target server, and the hosts’ replies saturate the target’s bandwidth, making it unavailable.

“The raw response size of the traffic is amplified significantly,” the report says. “This makes the SNMP reflection attack vector a powerful force.”

The best way to protect yourself from being shanghaied into such an attack is to identify all of the devices accessible on your network, whether or not they appear to be sensitive, and properly manage them. Prolexic offers a list of mitigations in its paper.

Remote management of and access to otherwise dumb devices can be a great convenience, but the trade-off is that it adds to the list of things that must be managed and secured.

Posted by William Jackson on May 03, 2013 at 9:39 AM


Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.