SNMP Attack Defense Mechanism
Simple Network Management Protocol (SNMP) provides a sound attack defense mechanism to prevent invalid users from logging in to the device and protect the device against attacks. The FW distinguishes SNMP
users based on source IP addresses.
The SNMP attack defense mechanism is implemented as follows:
- When a user logs in to the device the first time, SNMP authenticates the user. The user that passes the authentication can successfully log in to the device. If the user does not pass the authentication, SNMP locks and adds the user to the list of
locked users and specifies an 8-second timeout period.
- If the user re-sends a login request before the timeout period expires, SNMP discards the request. If the user re-sends a login request after the timeout period expires, SNMP re-authenticates the user. If the user passes the authentication, device
login succeeds, and SNMP deletes the user from the list of locked users. If the user still fails to pass the authentication, SNMP re-adds the user to the list of locked users and doubles the timeout period to 16 seconds.
- If a user fails to pass the authentication several times, the user is locked for 8, 16, and 32 seconds, respectively, for the first three authentication failures and for 5 minutes since the fourth authentication failure.
- The lockout record is kept for 5 minutes from the time the user is added to the list of locked users the last time. If the 5-minute period does not expire, the record is still kept in the list even if a lockout timeout occurs. SNMP deletes the record
from the list only when the 5-minute period expires.
- SNMP generates a lockout log every time the user is added to the list of locked users. When a lockout timeout occurs, SNMP generates an unlocking log.
- If the number of locked users exceeds the upper threshold, the system reports an alarm. If the number of locked users reaches the upper threshold, the system stops processing SNMP packets until the number falls below the lower threshold.