Greetings. This week’s blog is about SNMP Denial of Service Attacks on Rack PDU’s. Rack Power Distribution Units, or PDU’s are a standard feature in every rack and are used to distribute the power in a rack via individual power outlets. Most all PDU’s used in server and telecom racks today are intelligent, in that they use SNMP to communicate their status to a central console or trap receiver.
A Denial of Service (DoS) attack and a Distributed Denial of Service (DDoS) attack can cripple any organization. DoS attacks seek to overwhelm and overflow the network with large sums of data that will effectively cripple the ability of your network to operate. In order to launch a DDoS attack, a cyber hacker needs several devices that speak the same protocol language and SNMP is becoming a favorite of hackers.
In terms of sheer numbers, Rack PDU’s are one of the most prevalent devices in your network, trailing only servers and switches. Because of this, they offer a great opportunity to a hacker to launch a very destructive Distributed Denial of Service (DDoS) attack. The fact that so many of your Rack PDU’s are tucked-away in remote server rooms makes them that much more vulnerable to attack.
To get to the heart of this, let’s take a quick look at DDoS and reflection/amplification. The reflection component of this attack happens when someone spoofs one of your active IP addresses as the host point for your SNMP queries. The hacker sends out SNMP requests to lots of devices, like rack PDU’s using your IP address as the spoofed host. That will cause all of those devices to respond to your IP address with data. As the hacker adds more SNMP’s to his request list, the volume grows and can reach into the gigabytes per second. To up-the-ante, the bad guys can used techniques that elicit huge data responses from each SNMP query and may ultimately amplify the original request by well over 1000 times. A nice article and visual picture of this can be found here.
USENIX, the Advanced Computing Systems Association, has identified SNMP as the second largest source for Reflection/Amplification DDoS attacks and they list Power Distribution Units as one of those specific sources that can be easily used in such an attack. Because SNMP, even SNMPv3, is no longer secure as can be seen in this excellent peer-reviewed article, it is clear that your PDU’s provide a good source for DDoS attacks and it is important that you secure them.
We ask all readers of this blog to take a look at how many PDU’s you have under management. We then ask that you consider that you can’t manage what you can’t secure. Please take a look at how RackGuardian can protect each of your critical racks. It is the only system that completely shuts out cyber intruders, while giving you all the management information on your systems that you require.
Until next time.