Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open SNMP service used for an atack

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 2 Posters 879 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      moisesdfelix
      last edited by

      Caros, alguém já recebeu está notificação do Cert.BR ?

      You appear to be running an open SNMP server at IP address 201.25.71.x that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.

      Please consider reconfiguring your SNMP-speaking device in one or more of these ways:

      • Block queries made by unauthorized addresses. This can be done with an ACL or other firewall rule.
      • Use a different query string than "public" and which cannot be easily guessed by a 3rd party.
      • Disable SNMP entirely.
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        From the message it sounds like you have SNMP open on your WAN, which is bad. Don't do that. Fix your rules so only your SNMP server can reach the SNMP port, and never do that over a WAN as it's insecure.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        M 1 Reply Last reply Reply Quote 1
        • M
          moisesdfelix @jimp
          last edited by

          @jimp Thank you. would you be able to exemplify how I can restrict WAN SNMP access via Firewall rules or ACLs?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            By default nothing is allowed in WAN, so one or more of your existing rules on the WAN must be allowing access to SNMP, assuming the report is legitimate.

            If you post a screenshot of your WAN rules then others here can look them over and help determine what is wrong.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • M
              moisesdfelix
              last edited by moisesdfelix

              @jimp I created this rule on the WAN (attachment) but I do not know if it is enough. Port 161 was released in the output table and deletes it.

              0_1537387029382_SNMP blocking.png

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.