What is SNMP and Why Does It Exist?
Simple Network Management Protocol, or SNMP, is a standard language used by devices on a network to share information. Think of it as a universal remote for network administrators. It lets them monitor the health, performance, and configuration of everything
from routers and switches to printers and servers without having to physically check each one. For decades, it has been the go-to tool for keeping complex networks running smoothly, allowing admins to check bandwidth usage, device status, and error rates from a central command post. Its simplicity and vendor-neutral design made it a default feature on virtually every network-connected device.
The Open Door: How SNMP Is Exposed
The protocol's greatest strength, its simplicity, is also its biggest weakness. Older versions, SNMPv1 and SNMPv2c, rely on a simple password called a "community string" for access. Shockingly, these strings are often sent in plain text, meaning anyone intercepting the traffic can read them. Worse, many devices ship with well-known default community strings like "public" or "private" that are frequently never changed. Attackers know this and constantly scan the internet for devices that will respond to these default credentials. This problem is compounded when devices are misconfigured to allow SNMP access from the public internet, essentially leaving a door unlocked for anyone to try.
Hijacked: Turning Your Devices into Weapons
This is where the "relay" of malicious traffic comes in. The technique is known as a reflection and amplification attack. An attacker first finds thousands of these exposed devices across the internet. They then send a small query to each device, but they fake the return address, replacing their own IP address with that of their intended target. The devices, doing exactly what they're designed to do, dutifully respond to the query. However, the response sent is much larger than the initial request—this is the "amplification" part. The result is that the target—perhaps a bank, a government website, or a corporate network—is suddenly flooded with a massive volume of unwanted traffic from thousands of innocent, hijacked devices, leading to a Distributed Denial-of-Service (DDoS) attack that can take them offline.
Who is Abusing This Vulnerability?
While this technique can be used by any cybercriminal, it has been a favoured tool of sophisticated state-sponsored actors. In July 2026, a coalition of international cybersecurity agencies, including CISA and the NSA, issued an alert about a long-running campaign by Russia's FSB Center 16. This group, also known as Berserk Bear or Dragonfly, has been systematically scanning the internet for routers with weak SNMP configurations to infiltrate critical infrastructure networks in sectors like energy, healthcare, and finance. By exploiting SNMP, they can steal router configurations, which contain credentials and network maps, allowing them to move deeper into a target's network.
How to Lock the Door and Protect Your Network
Protecting your network from SNMP abuse involves fundamental cyber hygiene. The most critical step is to upgrade to SNMPv3, a version that offers robust authentication and encryption, making it far more difficult for attackers to intercept credentials or spoof requests. If a device does not support SNMPv3, it should be upgraded or replaced. If you don't use SNMP, disable it entirely to reduce your attack surface. For devices that need it, change the default community strings to strong, complex passwords immediately. Furthermore, use Access Control Lists (ACLs) or firewall rules to ensure that only trusted, internal IP addresses can communicate with your devices via SNMP. The protocol should never be exposed to the open internet.















