UDP flood causing SNMP false alarm
16 March 2019 
No Comment
Sometimes monitoring server that use SNMP to monitor the service will show service down even though the service is not down. This is because of UDP flood to SNMP service triggering the false alarm. The port flooding causing monitoring server failed to retrieve information from the problem server.
SNMP DDOS example :
root@svr29 [~]# tail -f /var/log/messages Nov 11 10:42:47 svr29 snmpd[28113]: Connection from UDP: [201.229.x.x]:1025 Nov 11 10:42:50 svr29 snmpd[28113]: Connection from UDP: [201.229.x.x]:1025 Nov 11 10:42:53 svr29 snmpd[28113]: Connection from UDP: [24.201.x.x]:1025 Nov 11 10:42:53 svr29 snmpd[28113]: Connection from UDP: [24.201.x.x]:1025 Nov 11 10:43:31 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:45655 Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:41150
Just block using CSF firewall :
root@svr29 [~]# csf -d 201.229.x.x root@svr29 [~]# csf -d 24.201.x.x
Then make sure after that the incoming connection only come from monitoring server :
root@svr29 [~]# tail -f /var/log/messages | grep "Connection from UDP" Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:40872 Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:55844 Nov 11 10:44:34 svr29 snmpd[28113]: Connection from UDP: [103.x.x.x]:41199
*Update
There is another way better to counter this issue using /etc/hosts.allow. No need for firewall block.
Setting sample inside /etc/hosts.allow
. . #snmpd snmpd : 103.x.x.x : allow snmpd : ALL : deny
Log output:
Nov 15 11:19:05 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:8699 REFUSED Nov 15 11:19:06 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:19461 REFUSED Nov 15 11:19:08 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:8920 REFUSED Nov 15 11:19:09 svr29 snmpd[14384]: Connection from UDP: [142.167.x.x]:41155 REFUSED
Original post here.
Leave your response!