SNMP: Spike in Brute-force Attempts Recently Observed
Simple Network Monitoring Protocol (SNMP) has been widely deployed as an important network management tool for decades, is a key component of scalable network device management, and is configurable in nearly all network infrastructure devices sold today. As with any management protocol, if not configured securely, it can be leveraged as an opening for attackers to gain access to the network and begin reconnaissance of network infrastructure. In the worst case, if read-write community strings are weak or not properly protected, attackers could directly manipulate device configurations.
Cisco has recently seen a spike in brute-force attempts to access networking devices configured for SNMP using the standard ports (UDP ports 161 and 162). Attacks we’ve observed have been going after well known SNMP community strings and are focused on network edge devices. We have been working with our Technical Assistance Center (TAC) to assist customers in mitigating any problems caused by the brute-force attempts.
While there’s nothing new about brute-force attacks against network devices, in light of these recent findings, customers may want to revisit their SNMP configurations and ensure they follow security best practices, including using strong passwords and community strings and using ACLs to restrict access to trusted network management endpoints.
Cisco has published a number of best practices documents for securing the management plane, including SNMP configuration:
- Securing Simple Network Management Protocol
- IOS SNMP Configuration Best Practices Guide
- Cisco Guide to Securing Cisco NX-OS Software Devices White Paper
- Cisco Firewall Best Practice Guide
- Cisco Guide to Harden Cisco IOS XR Devices
- Cisco TelePresence Hardening Guide
- Additional Cisco Network Security Documents