The german government sent us this love note – the SNMP port used to be closed to all but nagios.musicbrainz.org, but for some reason it is open again. Please re-instate the rule that prevents any traffic to the SNMP port from anyone but our IPs.

—

Dear Sir or Madam,

the Simple Network Management Protocol (SNMP) is a network protocol
for monitoring and management of network devices.

In the past months, systems responding to SNMP requests from the
Internet have been increasingly abused for participating in
DDoS reflection/amplification attacks.

The Shadowserver 'Open SNMP Scanning Project' identifies systems
responding to SNMP requests from the Internet which can be abused
for DDoS reflection/amplification attacks if no appropriate
countermeasures have been implemented.

Shadowserver provides CERT-Bund with the test results for IP addresses
hosted in Germany for notifying the owners of the affected systems.
Futher information on the tests run by Shadowserver is available
at [2].

Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the system was tested
and responded to SNMP requests from the Internet.

We would like to ask you to check this issue and take appropriate
steps to secure the SNMP services on the affected systems or
notify your customers accordingly.

If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.

References:

[1] Wikipedia: Simple Network Management Protocol
<http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol>
[2] Shadowserver: Open SNMP Scanning Project
<https://snmpscan.shadowserver.org/>
[3] Prolexic: An Analysis of DrDoS SNMP/NTP/CHARGEN Reflection Attacks
<www.prolexic.com/kcresources/white-paper/white-paper-snmp-ntp-
chargen-reflection-attacks-drdos/An_Analysis_of_DrDoS_SNMP-NTP-
CHARGEN_Reflection_Attacks_White_Paper_A4_042913.pdf>

This message is digitally signed using PGP.
Details on the signature key used are available on our website at:
<https://www.cert-bund.de/reports-sig>

Please note:
This is an automatically generated message.
Replying to the sender address is not possible.
In case of questions, please contact <certbund@bsi.bund.de>.

• -----------------------------------------------------------------------

Betroffene Systeme in Ihrem Netzbereich:
Affected systems on your network:

Format: ASN | IP address | Timestamp (UTC) | Device ID
24940 | 148.251.177.29 | 2016-02-06 07:23:14 | Linux spike 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64