Intro

This guide covers configuring SNMPv3 access, demonstrates how the resulting vulnerabilities could be exploited, and outlines countermeasures to address these weaknesses effectively.

Network device planes.

Note: The examples are being done on Cisco platforms but still apply to network infrastructure in general.

SNMPv3 access

Set a contact and location (optional):

snmp-server contact Admin
snmp-server location London HQ

Configure a SNMPv3 group:

snmp-server group MY-GROUP v3 priv

Configure a SNMPv3 user:

Specify which protocols to use for authentication and encrytion and write them down.

Use this table for documentation.

Variable	Value
username	admin
group name	MY_GROUP
SNMP version	v3
authentication algorithm	SHA
authentication key	AUTHKEY123
Encryption algorithm	AES 128
Encryption key	PRIVKEY123

snmp-server user admin MY-GROUP v3 auth sha AUTHKEY123 priv aes 128 PRIVKEY123

Note: For unknown reasons the MIB browsers won’t be able to retrieve GET when using AES 256, when I change to AES 128 it works… (we should use 256).

Note: You can specify the level of access to the MIB on the configuration, we are allowing all of it by default.

Set an SNMP server:

If you need to send traps somewhere (you can still poll without it).

snmp-server host 172.16.10.12 version 3 priv admin
snmp-server enable traps 
end

On the other end (Monitoring tool), use the created table and make sure everything matches.

Verification

See that the user is configured

RTR# show snmp user

User name: admin
Engine ID: 800000090300B0FEEB64B388
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: MY-GROUP

From the montoring tool host run Wireshark or tcpdump to look for snmp traffic.
Use an snmp tester like the one below to poll some OIDs

Polling interfaces from SNMP tester.

Note: You can decrypt SNMPv3 in wireshark to see OID information in transit, guide here

Deleting a user

snmp-server engineid local "original engineid"
no snmp-server user "username" "group" "version"

Control Plane Protection

Attack

Attack the The control-plane host subinterface (that manages SNMP).

Use snmpwalk to increase CPU usage.

root@ubuntu-home:~# snmpwalk -v3 -l authPriv -u admin -a SHA -A AUTHKEY123 -x AES -X PRIVKEY123 172.16.10.63 1

In the above video I’m launching four sessions towards a non production router, note how the CPU utilization over one minute goes to 24%.

Countermeasure

How to keep SNMP available without exposing our infrastructure to an overflow attack?

Enter control plane policing (CoPP), an application of quality of service (QoS) technologies in a security context.

The core functions of CoPP are:

Permit
Drop
Rate-Limit

A limitation of CoPP is that applies to all traffic (via a single virtual interface).

So, to be more specific on what we want to filter we will use a functionality called Control Plane Protection (CPPr).

Graphical representation of CPPr.

“CPPr extends CoPP functionality;

by automatically classifying cpu bound traffic

To three queues of subinterfaces.”

CPPr Configuration

Create traffic class

Use an ACL to define interesting traffic:

ACL name	protocol	src ip	dst ip	dst port
SNMP_CPPr_ACL	UDP	any	any	161

ip access-list extended SNMP_CPPr_ACL
	permit UDP any any eq 161

Then create a class map to classify traffic:

Class Map name	Match
SNMP_CPPr_CLASS	ACL name: SNMP_CPPr_ACL

class-map SNMP_CPPr_CLASS
	match access-group name SNMP_CPPr_ACL

Create traffic policy

Configure a policy map:

Class name	Action
SNMP_CPPr_CLASS	Police to 64 kbps with 1500 Bytes burst size

policy-map CPP
	class SNMP_CPPr_CLASS
		police rate 64000 bps burst 1500 bytes conform-action transmit exceed-action drop violate-action drop

Conform-action TRANSMIT
Exceed-action DROP
Violate-action DROP

Apply policy to CCPr sub-interface

control-plane
	service-policy input CPP
	end

Verification

show policy-map control-plane input

 Control Plane 

  Service-policy input: CPP 

    Class-map: SNMP_CPPr_CLASS (match-all) 
      1342 packets, 245640 bytes
      5 minute offered rate 10000 bps, drop rate 4000 bps 
      Match: access-group name SNMP_CPPr_ACL
      police: 
          rate 64000 bps, burst 1500 bytes, peak-burst 1500 bytes 
        conformed 1039 packets, 189742 bytes; actions:
          transmit
        exceeded 303 packets, 55898 bytes; actions:
          drop
        violated 0 packets, 0 bytes; actions: 
          drop 
        conformed 10000 bps, exceeded 4000 bps, violated 0000 bps

Issue snmpwalk again

Note on the linux terminals, how the data is being polled at the given rate. On the cisco router, conformed and exceeded traffic is being accounted for.

Tools

These are some MIB browsers/snmp testers:

PREVIOUSAPIs

NEXTAccess Control cheat-sheet