On 8/30/12 8:13 PM, Full Disclosure wrote: > Hi list, > > I am releasing this code due to the fact that my dev server got hacked and > people have been using it in the wild for bad things. > > Network admins should patch their networks appropriately by rejecting snmp > connections from unwanted IPs. > > >
The quoted code is actually nothing more than a regular threaded UDP flood DoS tool, both SNMP spoofed requests and responses are equally 65 bytes (no reflection). Make a simple network capture for verification. The payload is a mis-used .1.3.6.1 getBulk SNMP request resulting in a null value response. A sample perl script with the biggest reflection factor per transaction achieved on Cisco devices is available here [1] (Amplification = 84 bytes request / 1480 bytes response). For more information about SNMP reflection DoS you may refer to this link [2]. The quoted code reminds me an old implementation on the same concept [3]. [1] http://pastebin.com/M9cJs89h [2] https://bechtsoudis.com/hacking/snmp-reflected-denial-of-service/ [3] http://packetstormsecurity.org/DoS/snmpdos.c -A -- #----------------------------------------------# | Anestis Bechtsoudis | | | | Network Operation Center, | | Laboratory for Computing (LabCom), | | Dept. of Computer Engineering & Informatics, | | University of Patras, Greece | |----------------------------------------------| | Public Key: http://bit.ly/Q2f5gW | | Website: https://bechtsoudis.com | #----------------------------------------------# _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
