Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

snmp attack

Hi, i have Site to Site IPSEC VPN with a client,

recently i saw 100% CPU on my router, and sh process CPU sorted shows SNMP-Engine eating all CPU.

when i disbled SNP-Server on my Router, every thing is good.

in debug i can see some strange packets coming from my CLIENT side subnets.

How i can block them?

i tried deny SNP on boarder interface , but no success.   any suggestion how can i block them? Client is unable to block it on his side towards me :-s

May 22 12:10:33.358: SNMP: Response, reqid 657, errstat 0, erridx 0

ipNetToMediaEntry.2.18.10.10.164.200 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.164.200 = 10.10.164.200

ipNetToMediaEntry.4.18.10.10.164.200 = 3

ipNetToMediaEntry.1.18.10.10.164.200 = 18

ipNetToMediaEntry.2.18.10.10.164.228 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.164.228 = 10.10.164.228

ipNetToMediaEntry.4.18.10.10.164.228 = 3

ipNetToMediaEntry.1.18.10.10.164.228 = 18

ipNetToMediaEntry.2.18.10.10.164.238 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.164.238 = 10.10.164.238

ipNetToMediaEntry.4.18.10.10.164.238 = 3

ipNetToMediaEntry.1.18.10.10.164.238 = 18

ipNetToMediaEntry.2.18.10.10.164.250 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.164.250 = 10.10.164.250

ipNetToMediaEntry.4.18.10.10.164.250 = 3

ipNetToMediaEntry.1.18.10.10.164.250 = 18

ipNetToMediaEntry.2.18.10.10.165.11 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.11 = 10.10.165.11

ipNetToMediaEntry.4.18.10.10.165.11 = 3

ipNetToMediaEntry.1.18.10.10.165.11 = 18

ipNetToMediaEntry.2.18.10.10.165.57 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.57 = 10.10.165.57

ipNetToMediaEntry.4.18.10.10.165.57 = 3

ipNetToMediaEntry.1.18.10.10.165.57 = 18

ipNetToMediaEntry.2.18.10.10.165.60 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.60 = 10.10.165.60

ipNetToMediaEntry.4.18.10.10.165.60 = 3

ipNetToMediaEntry.1.18.10.10.165.60 = 18

ipNetToMediaEntry.2.18.10.10.165.100 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.100 = 10.10.165.100

ipNetToMediaEntry.4.18.10.10.165.100 = 3

ipNetToMediaEntry.1.18.10.10.165.100 = 18

ipNetToMediaEntry.2.18.10.10.165.128 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.128 = 10.10.165.128

ipNetToMediaEntry.4.18.10.10.165.128 = 3

ipNetToMediaEntry.1.18.10.10.165.128 = 18

ipNetToMediaEntry.2.18.10.10.165.131 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.131 = 10.10.165.131

ipNetToMediaEntry.4.18.10.10.165.131 = 3

ipNetToMediaEntry.1.18.10.10.165.131 = 18

ipNetToMediaEntry.2.18.10.10.165.146 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.146 = 10.10.165.146

ipNetToMediaEntry.4.18.10.10.165.146 = 3

ipNetToMediaEntry.1.18.10.10.165.146 = 18

ipNetToMediaEntry.2.18.10.10.165.150 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.150 = 10.10.165.150

ipNetToMediaEntry.4.18.10.10.165.150 = 3

ipNetToMediaEntry.1.18.10.10.165.150 = 18

ipNetToMediaEntry.2.18.10.10.165.159 = 00 17 59 26 5D C0

ipNetToMediaEntry.3.18.10.10.165.159 = 10.10.165.159

ipNetToMediaEntry.4.18.10.10.165.159 = 3

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

snmp attack

Here's a link that might prove helpful:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml

Essentially, you can secure your SNMP communities by getting away from public and private, as well as secure access via an ACL.

HTH!

-Chris

3 REPLIES
Bronze

snmp attack

Here's a link that might prove helpful:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml

Essentially, you can secure your SNMP communities by getting away from public and private, as well as secure access via an ACL.

HTH!

-Chris

New Member

snmp attack

Hi cflory,

thank you for this useful document.

After creating discussion here, i also found the same and fixed the issue.

and it works so you get full marks. thank you for your knowledge sharing.

snmp attack

Hi,

Alternatively, you can configure your end client only to send particular MIB query...

This is generally done by configuring snmp view included statements...

Please rate if helpful !!!

HTH,

Smitesh

699
Views
3
Helpful
3
Replies