Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

SNMP Security access violation

Les Ligetfalvy
Esteemed Contributor

SNMP Security access violation

I came across an issue where an errant SNMP application tried repeatedly to access all my 5308xl switches presumably with the wrong community string. Subsequently, there are thousands of "SNMP Security access violation..." messages piling up in the local logs and in the PCM+ Syslogs as well as the SNMP trap. All this happened so fast and furious that even after turning off the errant app, PCM+ took hours to catch up on the backlog of events. In the meantime other possibly important events were backed up in the queue.

This concerns me on two fronts, the first being the amount of work and traffic generated, and secondly that someone could capitalize on this "feature" to launch a DoS of sorts.

Other brands of switches I have block continuous reporting of these so as to not flood the log, allowing other events to be tracked. I have searched through the Procurve documentation for some way to modify this behavior but came up empty.
5 REPLIES
Gonzo Granello
Valued Contributor

Re: SNMP Security access violation

Unfurtunatley, not a whole lot you can do about. Write the ProCurve guy's to change that, event log mgmt (or consistent mgmt between their switches) has never been the big glory of those anyway. The only (somewhat easy) way to fix that, is a; preventing other applications to use the "wrong" SNMP string. (and now someone breaks in and your logs are messed up....) or b; put all mgmt applications and computers in their own mgmt vlan which would greatly reduce the risk of someone else trying to access any box with the wrong SNMP string since SNMP would be turned off in all other VLAN's.
most time the day i have to mask my contempt for the a-holes in charge......
Les Ligetfalvy
Esteemed Contributor

Re: SNMP Security access violation

Thanks for the reply. You can bet I will be bending HP's ear. While putting the switches into a separate management vlan makes good sense, in this case it would not have helped since the errant snmp app was mine! It would however prevent someone besides myself from launching a DoS against my switches.
SCOOTER
Esteemed Contributor

Re: SNMP Security access violation

Les,

You can turn this off by setting setmib 1.3.6.1.2.1.16.9.1.1.3.236 -i 1

Then the entry's will not turn up in the eventlog, on the other hand I have not checked if they still turn up in PCM.

Regards,

SCOOTER
Les Ligetfalvy
Esteemed Contributor

Re: SNMP Security access violation

Thanks Scooter but that went over my head. I just barely muddle through this MIB and OID stuff and have yet to figure out how to compile the MIBs that HP bundles. So far I have just been able to read non-HP OIDs with MG Soft and Whatsup Gold.

All I know is that my Nortel switches report:

The last event exceeded the write threshold. Further write attempts
by this event are blocked. The write threshold will be cleared when
the switch is reset or when the Event Log is compressed.
Les Ligetfalvy
Esteemed Contributor

Re: SNMP Security access violation

Update:
Fluke OVC is still working on the source of the access violations.

I submitted an enhancement request to HP to put event log flood control in place. Unfortunately, the way this whole enhancement request system works, there is no way to submit the request in your own words. I submit the request for a request to the HP tech who in turn paraphrases what I said into a very brief form.

Well... we'll see what if anthing comes of it. I think I have bent HP's ear with at least a half dozen requests thus far.