cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2242
Views
3
Helpful
3
Replies

snmp attack

ahmad82pkn
Level 3
Level 3

Hi, i have Site to Site IPSEC VPN with a client,

recently i saw 100% CPU on my router, and sh process CPU sorted shows SNMP-Engine eating all CPU.

when i disbled SNP-Server on my Router, every thing is good.

in debug i can see some strange packets coming from my CLIENT side subnets.

How i can block them?

i tried deny SNP on boarder interface , but no success.   any suggestion how can i block them? Client is unable to block it on his side towards me :-s

May 22 12:10:33.358: SNMP: Response, reqid 657, errstat 0, erridx 0

ipNetToMediaEntry.2.18.10.10.164.200 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.164.200 = 10.10.164.200

ipNetToMediaEntry.4.18.10.10.164.200 = 3

ipNetToMediaEntry.1.18.10.10.164.200 = 18

ipNetToMediaEntry.2.18.10.10.164.228 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.164.228 = 10.10.164.228

ipNetToMediaEntry.4.18.10.10.164.228 = 3

ipNetToMediaEntry.1.18.10.10.164.228 = 18

ipNetToMediaEntry.2.18.10.10.164.238 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.164.238 = 10.10.164.238

ipNetToMediaEntry.4.18.10.10.164.238 = 3

ipNetToMediaEntry.1.18.10.10.164.238 = 18

ipNetToMediaEntry.2.18.10.10.164.250 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.164.250 = 10.10.164.250

ipNetToMediaEntry.4.18.10.10.164.250 = 3

ipNetToMediaEntry.1.18.10.10.164.250 = 18

ipNetToMediaEntry.2.18.10.10.165.11 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.11 = 10.10.165.11

ipNetToMediaEntry.4.18.10.10.165.11 = 3

ipNetToMediaEntry.1.18.10.10.165.11 = 18

ipNetToMediaEntry.2.18.10.10.165.57 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.57 = 10.10.165.57

ipNetToMediaEntry.4.18.10.10.165.57 = 3

ipNetToMediaEntry.1.18.10.10.165.57 = 18

ipNetToMediaEntry.2.18.10.10.165.60 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.60 = 10.10.165.60

ipNetToMediaEntry.4.18.10.10.165.60 = 3

ipNetToMediaEntry.1.18.10.10.165.60 = 18

ipNetToMediaEntry.2.18.10.10.165.100 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.100 = 10.10.165.100

ipNetToMediaEntry.4.18.10.10.165.100 = 3

ipNetToMediaEntry.1.18.10.10.165.100 = 18

ipNetToMediaEntry.2.18.10.10.165.128 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.128 = 10.10.165.128

ipNetToMediaEntry.4.18.10.10.165.128 = 3

ipNetToMediaEntry.1.18.10.10.165.128 = 18

ipNetToMediaEntry.2.18.10.10.165.131 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.131 = 10.10.165.131

ipNetToMediaEntry.4.18.10.10.165.131 = 3

ipNetToMediaEntry.1.18.10.10.165.131 = 18

ipNetToMediaEntry.2.18.10.10.165.146 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.146 = 10.10.165.146

ipNetToMediaEntry.4.18.10.10.165.146 = 3

ipNetToMediaEntry.1.18.10.10.165.146 = 18

ipNetToMediaEntry.2.18.10.10.165.150 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.150 = 10.10.165.150

ipNetToMediaEntry.4.18.10.10.165.150 = 3

ipNetToMediaEntry.1.18.10.10.165.150 = 18

ipNetToMediaEntry.2.18.10.10.165.159 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.159 = 10.10.165.159

ipNetToMediaEntry.4.18.10.10.165.159 = 3

1 Accepted Solution

Accepted Solutions

cflory
Level 1
Level 1

Here's a link that might prove helpful:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml

Essentially, you can secure your SNMP communities by getting away from public and private, as well as secure access via an ACL.

HTH!

-Chris

View solution in original post

3 Replies 3

cflory
Level 1
Level 1

Here's a link that might prove helpful:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml

Essentially, you can secure your SNMP communities by getting away from public and private, as well as secure access via an ACL.

HTH!

-Chris

Hi cflory,

thank you for this useful document.

After creating discussion here, i also found the same and fixed the issue.

and it works so you get full marks. thank you for your knowledge sharing.

Hi,

Alternatively, you can configure your end client only to send particular MIB query...

This is generally done by configuring snmp view included statements...

Please rate if helpful !!!

HTH,

Smitesh