-1

Recently one of our servers faced a DOS attack, and from iptables log we found out that they hit port 161 of the server. I wonder why? Here is the iptable log

Mar 25 14:02:45 srv1 kernel: iptables denied: IN=eth0 OUT=MAC=xx:xx:xx SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=66 TOS=0x00 PREC=0x00 TTL=237 ID=1047 PROTO=UDP SPT=22 DPT=161 LEN=46
Mar 25 14:02:55 srv1 kernel: iptables denied: IN=eth0 OUT= MAC=xx:xx:xx SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=66 TOS=0x08 PREC=0x20  TL=232 ID=1047 PROTO=UDP SPT=7777 DPT=161 LEN=46
...
PHA
  • 1,588
  • 5
  • 18
  • 37
  • By the way, the question really belongs to http://networkengineering.stackexchange.com/ not to Stackoverflow. I still answered the question because it is a simple question to answer. – juhist Mar 24 '15 at 08:44

1 Answers1

0

According to /etc/services, port 161 is the port of SNMP. Perhaps that could explain why hackers attacked that port? Lots of networking gear use SNMP for management.

They probably tried an SNMP amplification attack explained e.g. in https://isc.sans.edu/forums/diary/SNMP+The+next+big+thing+in+DDoS+Attacks/18089/

The idea of reflectors is to cause a small request packet to get a large reply packet response. The source IP address of the request packet is obviously spoofed to be the target of the attack. So, in other words: you weren't the real target of the attack, they just tried to use your network equipment to amplify traffic to the real attack target.

juhist
  • 4,210
  • 16
  • 33
  • thanks for your anwser but we are running on linux and we don't have the SNMP installed – PHA Mar 24 '15 at 11:25
  • Well, even though you don't have SNMP installed it doesn't necessarily matter. Perhaps the hackers are trying to see if you have SNMP installed. The only way to know if you have SNMP is trying it. – juhist Mar 24 '15 at 11:34