UDP flood causing SNMP false alarm

Sometimes monitoring server that use SNMP to monitor the service will show service down even though the service is not down. This is because of UDP flood to SNMP service triggering the false alarm. The port flooding causing monitoring server failed to retrieve information from the problem server.

SNMP DDOS example :

[email protected] [~]# tail -f /var/log/messages
Nov 11 10:42:47 svr29 snmpd[28113]: Connection from UDP: [201.229.x.x]:1025
Nov 11 10:42:50 svr29 snmpd[28113]: Connection from UDP: [201.229.x.x]:1025
Nov 11 10:42:53 svr29 snmpd[28113]: Connection from UDP: [24.201.x.x]:1025
Nov 11 10:42:53 svr29 snmpd[28113]: Connection from UDP: [24.201.x.x]:1025
Nov 11 10:43:31 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:45655
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:41150

Just block using CSF firewall :

[email protected] [~]# csf -d 201.229.x.x
[email protected] [~]# csf -d 24.201.x.x

Then make sure after that the incoming connection only come from monitoring server :

[email protected] [~]# tail -f /var/log/messages | grep "Connection from UDP"
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:40872
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:55844
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:41199

*Update
There is another way better to counter this issue using /etc/hosts.allow. No need for firewall block.
Setting sample inside /etc/hosts.allow

.
.

#snmpd
snmpd : 103.x.x.x : allow
snmpd : ALL : deny

Log output:

Nov 15 11:19:05 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:8699 REFUSED
Nov 15 11:19:06 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:19461 REFUSED
Nov 15 11:19:08 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:8920 REFUSED
Nov 15 11:19:09 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:41155 REFUSED

Original post here.

Leave a Reply

Your email address will not be published. Required fields are marked *