specific-trap?

PTBmilo · 05-23-2003, 02:47 AM

I noticed some unwarranted disk activity a minute ago and decided to tcpdump the network to see if something funny was going on. this is what I get:

Code:

17:24:22.700042 192.168.1.1.24433 > temple.flatland.org.snmptrap:  Trap(35)  E:3
093.2.2.1 192.168.1.1 enterpriseSpecific[specific-trap(1)!=0] 164350778 [|snmp]
17:24:23.472621 192.168.1.1.24434 > temple.flatland.org.snmptrap:  Trap(35)  E:3
093.2.2.1 192.168.1.1 enterpriseSpecific[specific-trap(1)!=0] 164350855 [|snmp]
17:24:24.174873 192.168.1.1.24435 > temple.flatland.org.snmptrap:  Trap(35)  E:3
093.2.2.1 192.168.1.1 enterpriseSpecific[specific-trap(1)!=0] 164350926 [|snmp]
17:24:24.201780 192.168.1.1.24436 > temple.flatland.org.snmptrap:  Trap(35)  E:3
093.2.2.1 192.168.1.1 enterpriseSpecific[specific-trap(1)!=0] 164350928 [|snmp]
17:24:25.464556 192.168.1.1.24437 > temple.flatland.org.snmptrap:  Trap(35)  E:3
093.2.2.1 192.168.1.1 enterpriseSpecific[specific-trap(1)!=0] 164351055 [|snmp]
17:24:25.534745 192.168.1.1.24438 > temple.flatland.org.snmptrap:  Trap(35)  E:3
093.2.2.1 192.168.1.1 enterpriseSpecific[specific-trap(1)!=0] 164351062 [|snmp]
17:24:25.583246 192.168.1.1.24439 > temple.flatland.org.snmptrap:  Trap(35)  E:3
093.2.2.1 192.168.1.1 enterpriseSpecific[specific-trap(1)!=0] 164351066 [|snmp]
17:24:26.025506 192.168.1.1.24440 > temple.flatland.org.snmptrap:  Trap(35)  E:3
093.2.2.1 192.168.1.1 enterpriseSpecific[specific-trap(1)!=0] 164351111 [|snmp]
17:24:26.265885 192.168.1.1.24441 > temple.flatland.org.snmptrap:  Trap(35)  E:3
093.2.2.1 192.168.1.1 enterpriseSpecific[specific-trap(1)!=0] 164351135 [|snmp]
17:24:27.325679 192.168.1.1.24442 > temple.flatland.org.snmptrap:  Trap(35)  E:3

I've noticed this comming out of my router before, but just maybe a couple packets every now and then... I was wandering W.T.F. this is.

does anybody know what this traffic is? you think I've been cracked ?

unSpawn · 05-23-2003, 04:31 AM

I doubt it you're being cracked using SNMP. What does snmpd's logs say?

PTBmilo · 05-23-2003, 01:54 PM

I don't even have snmpd running. I was thinking that they could be some kind of malformed packets or something... but I don't really know how flexible the snmp protocol/packet is.

Maybe it was an attempted D.o.S.?

My disk activity was up untill the instant I brought down the interface, that's why I thought they might be on my system... I just can't figure out why the heck I was getting SOO many of those packets (there were a lot).

I'm running a lynksys router, and I've read about some vonerabilities on them with the SNMP protocol... I could be way off here though.

What you think?

unSpawn · 05-25-2003, 12:18 PM

Check out this and this.

PTBmilo · 05-25-2003, 03:02 PM

Thanks. It looks like I'm gonna have to play w/ the linksys a bit when I get some time. I know that I had disapled PnP...

I think that the disk activity was probably from klogd, I didn't have a BURST lilmit in my tables.

<Got attacked again last night>

Ok, so even if I let this come through the lynksys (which I hopefully won't), Is the DoS vunerability really a security issue with me? Am I wrong in assuming that DoS attacks only pose a threat to the attacked port? Or is it a threat to any port? What about if it's all caught by iptables?

unSpawn · 05-26-2003, 07:14 AM

Is the DoS vunerability really a security issue with me?
You can't classify the SNMP reporting/probing as a DoS unless it would severely bog down your connections. For classifying it as a threat to your Linksys and any boxen receiving SNMP you would need to first review the passwds, community strings etc etc.

Am I wrong in assuming that DoS attacks only pose a threat to the attacked port?
DoS stands for "Denial of Service" and it can mean different things from someone being able to clog up your network connections or bogging down the box with processess to being able to make the box do things you didn't authorize.
There's some links in the first sticky thread of this forum post #2 about DoS and DDoS, I suggest you read 'em.

PTBmilo · 05-26-2003, 03:09 PM

Thank you... I'll do just that (read the links).