Home » Linux tips » 16 March 2019 » » No Comment »

UDP flood causing SNMP false alarm

16 March 2019 No Comment

Sometimes monitoring server that use SNMP to monitor the service will show service down even though the service is not down. This is because of UDP flood to SNMP service triggering the false alarm. The port flooding causing monitoring server failed to retrieve information from the problem server.

SNMP DDOS example :

root@svr29 [~]# tail -f /var/log/messages
Nov 11 10:42:47 svr29 snmpd[28113]: Connection from UDP: [201.229.x.x]:1025
Nov 11 10:42:50 svr29 snmpd[28113]: Connection from UDP: [201.229.x.x]:1025
Nov 11 10:42:53 svr29 snmpd[28113]: Connection from UDP: [24.201.x.x]:1025
Nov 11 10:42:53 svr29 snmpd[28113]: Connection from UDP: [24.201.x.x]:1025
Nov 11 10:43:31 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:45655
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:41150

Just block using CSF firewall :

root@svr29 [~]# csf -d 201.229.x.x
root@svr29 [~]# csf -d 24.201.x.x

Then make sure after that the incoming connection only come from monitoring server :

root@svr29 [~]# tail -f /var/log/messages | grep "Connection from UDP"
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:40872
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:55844
Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:41199

*Update
There is another way better to counter this issue using /etc/hosts.allow. No need for firewall block.
Setting sample inside /etc/hosts.allow

.
.

#snmpd
snmpd : 103.x.x.x : allow
snmpd : ALL : deny

Log output:

Nov 15 11:19:05 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:8699 REFUSED
Nov 15 11:19:06 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:19461 REFUSED
Nov 15 11:19:08 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:8920 REFUSED
Nov 15 11:19:09 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:41155 REFUSED

Original post here.




Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.