|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: snmp vuln
On (2004-04-21 23:24 -0700), Alexei Roudnev wrote: > If you ever read SNMP specs, you can realize, that there is not any C or C++ > SNMP implementation without such problem. So, rule number 1 is _never > expose SNMP to Internet, and be careful to filter out any inbound packets, > forwarded to your SNMP ports. Which makes me wonder, why in most implementations services listen in each configured address. Provider might have lot of link networks, even from customers demand from his link network. This makes filtering in borders little less feasible. And for this particular attack two way comminication is not needed, so SNMP with ACL is not enought to mitigate this. With explicitly defined listen addresses, filtering in border would be easy. JunOS allows to set interfaces to SNMP, but according to netstat it still listens in *.161. -- ++ytti
|