Curious SNMP Traffic Spike

Published: 2016-09-08
Last Updated: 2016-09-08 18:40:02 UTC
by Kevin Shortt (Version: 1)
7 comment(s)

It could be nothing.  It could be something.

The ISC HoneyPot has been showing some port 161 traffic.

12:08:27.874575 IP x.x.x.x.12458 > y.y.y.y.161: GetRequest(28) .1.3.6.1.2.1.1.1.0
12:09:10.952260 IP z.z.z.z.12458 > a.a.a.a.161: GetRequest(28) .1.3.6.1.2.1.1.1.0

12:09:52.802179 IP b.b.b.b.12458 > c.c.c.c.161: GetRequest(28) .1.3.6.1.2.1.1.1.0


So I did some poking around, read some articles [1]   and found some simlarities, etc.  No real testing per se yet.  Then after yesterday's data was collected, the ISC port data showed a curious correlation.   So I am turning to our readers.  Can any of you offer any corroborating data or anecdotes.    The pic [3]   below shows a triple in sources on Aug 11 near the time when some of the recent Cisco vulnerabilities became well known. [2]    Then a similar spike yesterday.   The numbers do not entirely warrant a deep dive, however, knowing about the events surrounding port 161 from Aug 13 (or near there), there could be something to it.
















[1] http://blog.level3.com/security/shadow-brokers-hit-light-of-day/
[2] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
​[3] https://isc.sans.edu/port.html?port=161
 

​Please leave a comment if you see anything that correlates in your travels.

-Kevin

--
ISC Handler on Duty

Keywords: SNMP
7 comment(s)

Comments

I get tons of SNMP traffic, usually combined with telnet and ping/traceroute. It's been a couple years now, and as usual, my ISP doesn't care about spoofed traffic.
The request: 1.3.6.1.2.1.1.1.0 seems to be related to AirNovo Wireless Access Point
http://www.alvestrand.no/objectid/1.3.6.1.2.1.1.1.0.html
Nope, this is the default SNMP branch (sysDesc)
http://www.alvestrand.no/objectid/1.3.6.1.2.1.1.1.html
I would say this is a way of trying to guess what your device is to prepare for a specific attack.
I see a similar spike in SNMP requests in my logs on Sep 6-Sep 7. Went back to baseline levels on Sep 8. All IP's were already in my log for earlier SNMP probing though, so it seems they cranked up their activity for a short while.
Hi there,

what is the name of tool ?

Thanks
Related to the CISCO ASA vuln?

Diary Archives