Operational Impact of CA-2002-03 ?

Frank_B_Scalzo · February 14, 2002, 7:00am

Has anyone seen any discernable operational impact from CA-2002-03? Things
like: increase in SNMP probes, increase in bgp churn due to outside networks
being affected, customer complaints, increase in number of customer flaps,
anyone willing to admit to being directly impacted, anyone willing to admit
surviving an attempt, does anyone have any evidence of an actual exploit,
any evidence that people wearing the wrong color hats are using this or
trying to?

Frank Scalzo

Jared_Mauch · February 14, 2002, 2:48pm

I've been watching the acls on various routers on our (my employer)
network as well as on my home network.

I've only seen one host attempt to send any sort
of snmp "goodies" to my network:

Feb 14 05:57:55.239 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.252.53(161), 1 packet
Feb 14 06:03:51.550 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.253.53(161), 1 packet
Feb 14 06:03:51.550 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.254.53(161), 1 packet
Feb 14 06:03:51.550 EST: %SEC-6-IPACCESSLOGP: list 2699 denied udp 193.64.58.53(2101) -> 204.42.255.53(161), 1 packet

Obviously I don't speak for the entire internet but
i'm not seeing anything that interesting to take note of (imho)
currently.

- Jared

Brian_Wallingford · February 14, 2002, 3:03pm

I've seen only a few probes here; interestingly, from exactly the same
host you mention.

Chad_Oleary · February 14, 2002, 3:40pm

Has anyone seen any discernable operational impact from CA-2002-03? Things

<snip>

I've only seen a couple hits here, however they were destined to
network addresses...

Feb 13 15:10:11 EST: %SEC-6-IPACCESSLOGP: list 112 denied udp
65.163.197.2(12154) -> 63.x.y.0(161), 1 packet
Feb 13 15:57:02 EST: %SEC-6-IPACCESSLOGP: list 112 denied udp
65.163.197.2(11290) -> 65.x.y.0(161), 1 packet

--Chad

Sean_Donelan · February 14, 2002, 6:45pm

So far no one has told me they've been hit. And to follow up, because
self-reporting isn't that accurate, I have not seen any operational impact
due to someone exploiting, or attempting to exploit SNMP. So far most of
the problems I've tracked down in the last 72 hours have been due to
unrelated problems or network operators rushing to patch or block SNMP.
According to notes sent/forwarded to me, several network operators have
blocked SNMP ports in their hosting facilities either permanently or for
a few days while folks figure out what to do.

I have not seen any gaps in most MRTG data (which uses SNMP) graphs
displayed on providers web sites. The Ripe, Telstra, Keynote, Matrix, etc
global network data graphs don't appear out of the ordinary.

Joel_Aelwyn · February 14, 2002, 8:41pm

#include <stddisclaimer>

We saw a few boxes which appeared to have been compromised in the past day
or two, and which were running SNMPd. On the other hand, they were also
running other potentially dangerous network interfaces as well, so the
timing may well be coincidental.