SNMP and Other TCPIP Protocols

SNMP and Other TCP/IP Protocols

Your network may also have other network protocols running in addition to TCP/IP. Each of these protocols may be vulnerable to outside attack. Some protocols (such as NetBEUI, DLC, and some of the more primitive protocols) are not routable and, therefore, not subject to attack. Of course, there is a great big "unless" in all this. If your router or firewall is configured to pass them, some of these protocols can be imbedded in TCP/IP and may be passed to other systems.

The major protocols used by TCP/IP for maintenance and other activities include SNMP, ICMP, and IGMP. These protocols use the TCP or UDP components of TCP/IP for data delivery.

Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is used to manage and monitor devices in a network. Many copiers, fax machines, and other smart office machines use SNMP for maintenance functions. This protocol travels through routers quite well and can be vulnerable to attack. While this particular attack might not be dangerous, think about what could happen if your printer suddenly went online and started spewing your paper all over the floor. SNMP has been upgraded as a standard to SNMP 2. SNMP 2 provides security and improved remote monitoring. SNMP is currently undergoing a revision, and a new standard, SNMPv3, is out. Most systems still use SNMP 2.

Internet Control Message Protocol (ICMP) Internet Control Message Protocol (ICMP) is used to report errors and reply to requests from programs such as Ping and Traceroute. ICMP is one of the favorite protocols used for DoS attacks. Many businesses have disabled ICMP through the router to prevent these types of situations from occurring.

Real World Scenario: Using ICMP to Deal with Smurf Attacks

Your organization has been repeatedly hit by smurf attacks. These attacks have caused a great deal of disruption, and they must be stopped. What could you suggest to minimize these attacks?

You would want to disable ICMP traffic at the point where your network connects to the Internet. You can do this by disabling this protocol on your router and blocking this traffic in firewall systems. This does not completely eliminate the problem, but it will greatly reduce the likelihood of a successful attack occurring using ICMP. This will also prevent people from gaining information about your network because any programs, such as Ping, that request information from your network systems will no longer function.

Internet Group Message Protocol (IGMP) Internet Group Message Protocol (IGMP) is used to manage group or multicasting sessions. IGMP can be used to address multiple receivers of a data packet. This process, called multicasting, can consume huge amounts of bandwidth in a network and possibly create a DoS situation. Many organizations block IGMP traffic to prevent this type of occurrence. Broadcast traffic is initiated by the sender, and it is received by any client who has broadcasting enabled. Many routers and other network devices block broadcast traffic. A unicast is IGMP traffic that is multicast formatted, but oriented at a single system.

TCP/IP primarily uses a unicast method of communication. This means that a message is sent from a single system to another single system. The ability exists to send broadcasts as well as multicasts. Broadcasts are messages sent from a single system to the entire network. The systems could be inside your network or throughout the world. Multicasting refers to messages that are being sent to a targeted list of subscribers. Most network administrators disable the reception of broadcast and multicast traffic from outside their local network.