Denial of Service Attacks on Data Racks

Greetings. This week’s blog is about SNMP Denial of Service Attacks on Rack PDU’s.  Rack Power Distribution Units, or PDU’s are a standard feature in every rack and are used to distribute the power in a rack via individual power outlets.  Most all PDU’s used in server and telecom racks today are intelligent, in that they use SNMP to communicate their status to a central console or trap receiver.

A Denial of Service (DoS) attack and a Distributed Denial of Service (DDoS) attack can cripple any organization.  DoS attacks seek to overwhelm and overflow the network with large sums of data that will effectively cripple the ability of your network to operate.  In order to launch a DDoS attack, a cyber hacker needs several devices that speak the same protocol language and SNMP is becoming a favorite of hackers.

In terms of sheer numbers, Rack PDU’s are one of the most prevalent devices in your network, trailing only servers and switches. Because of this, they offer a great opportunity to a hacker to launch a very destructive Distributed Denial of Service (DDoS) attack. The fact that so many of your Rack PDU’s are tucked-away in remote server rooms makes them that much more vulnerable to attack.

To get to the heart of this, let’s take a quick look at DDoS and reflection/amplification. The reflection component of this attack happens when someone spoofs one of your active IP addresses as the host point for your SNMP queries. The hacker sends out SNMP requests to lots of devices, like rack PDU’s using your IP address as the spoofed host. That will cause all of those devices to respond to your IP address with data. As the hacker adds more SNMP’s to his request list, the volume grows and can reach into the gigabytes per second. To up-the-ante, the bad guys can used techniques that elicit huge data responses from each SNMP query and may ultimately amplify the original request by well over 1000 times. A nice article and visual picture of this can be found here.

USENIX, the Advanced Computing Systems Association, has identified SNMP as the second largest source for Reflection/Amplification DDoS attacks and they list Power Distribution Units as one of those specific sources that can be easily used in such an attack. Because SNMP, even SNMPv3, is no longer secure as can be seen in this excellent peer-reviewed article, it is clear that your PDU’s provide a good source for DDoS attacks and it is important that you secure them.

We ask all readers of this blog to take a look at how many PDU’s you have under management. We then ask that you consider that you can’t manage what you can’t secure. Please take a look at how RackGuardian can protect each of your critical racks. It is the only system that completely shuts out cyber intruders, while giving you all the management information on your systems that you require.

Until next time.

Be Well!

Cyber Risks of Power Reboot Devices

Welcome back!  This week, we look at a very serious problem with server and telecom racks: Cyber Risks of Power Reboot Devices.  To begin with, having the ability to reboot a server or telecom unit remotely is an extremely handy thing to use and it can save an enormous amount of time and effort.   The problem is that all-too-many of these devices have little if any protection from a cyber criminal using this device against you.

Let’s at the various devices that can be used to remotely power cycle an electrical outlet a little more closely.  Here are the common types of units used for that purpose in order of market penetration:

  • Intelligent Rack PDU’s
  • Rack mounted and small UPS units
  • Remote reboot devices

Rack PDU’s are Vulnerable

Intelligent Rack PDU’s are in high demand and use in server and telecom racks and for good reason.  Most of them can measure power usage, provide reboot capabilities and allow you to better manage your rack systems.  The problem is that Rack PDU’s rely on SNMP as their primary form of communication.  SNMP was a great protocol in its day but, the most recent version – v3 – is now 15 years old!  That brings me to a simple question: Would you trust a 15 year old piece of software or “secure protocol” to manage your critical systems?  I think the answer is: NO.

SNMP Communications are Vulnerable

To make the point clearly, there was an excellent study done by a group at Georgia Tech University on the security of SNMPv3 specifically for the units listed above: PDU’s, UPS’s and Reboot Devices.  The study is available here and proves beyond any doubts that rack servers and telecom units connected to these systems are highly vulnerable.  Please note that the research report also shows that Distributed Denial of Service (DDoS) attacks can be launched by using these SNMP devices.  SNMP devices are being increasingly used in DDoS attacks because of their prevalence and ability to be used in an amplification scheme as the SANS Institute points out.

Its clear from these reports that using any version of SNMP natively presents a risk to the systems being powered with these PDUs and UPSs.  In fact, its clear that power systems being managed by open SNMP ports are not in compliance with Sarbanes Oxley, HIPAA, Gramm-Leach-Bliley and other data standards.

Remote Reboot Devices are Extremely Vulnerable

While PDU’s and UPS’s that use SNMP are clearly vulnerable, there is actually one last item that we need to examine: Remote Reboot Devices.  We have examined several popular brands of Remote Power Reboot Devices and most of them allow control via simple HTTP access.  Please remember that HTTP has NO ENCRYPTION and all your logins and passwords are passed over your network in clear text.  Now for the kicker; because the purpose of these devices is REMOTE rebooting, you primarily use them from outside your facility.

If you login via HTTP to a reboot box over the Internet (the most common use of a reboot box) you are passing your login and password as PLAIN TEXT for anyone in the world to see.

I would encourage every reader of this blog to think about these facts and how secure your facility needs to be.  If you are covered under any data security standard, you must place a protective system between your rack PDU, UPS or Reboot device and your network.  Even if you are not under a security standard, if you use a Remote Reboot Device, you are just taking your server’s life and data into anyone’s hands who wants to take the effort to sniff your traffic.

RackGuardian was built from the ground-up to protect your rack assets from cyber or physical hackers.  At the same time, its patented remote control features provide a FULLY ENCRYPTED reboot authorization process with 2-Factor Authentication.  Please give us a call to confidentially discuss your rack security needs.  We are here to help you meet your compliance standards while continuing to give you the remote management capabilities that you need.

Until Next Time,

Be Well!