The Shadowserver Foundation

Open SNMP Scanning Project

If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at SNMP.

The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have SNMP running. The goal of this project is to identify openly accessible SNMP services and report them back to the network owners for remediation.

These devices have the potential to be used in SNMP amplification attacks and if at all possible, we would like to see these services made un-available to miscreants that would misuse these resources.

Servers that are configured this way will be incorporated into our reports and should are being reported on a daily basis.

Information on UDP-based amplification attacks in general can be found in US-CERT alert TA14-017A at: https://www.us-cert.gov/ncas/alerts/TA14-017A

Methodology

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 161/udp with a request for the System Description OID (1.3.6.1.2.1.1.1) using the community "public" and snmp version 2c. We are capturing the response from the SNMP service and parsing the result. We intend no harm, but if we are causing problems, please contact us at dnsscan@shadowserver.org

If you would like to test your own device to see if it has SNMP enabled and responding to queries for sysDescr (OID 1.3.6.1.2.1.1.1.0) and/or sysName (OID 1.3.6.1.2.1.1.5.0) use the command: "snmpget -c public -v 2c [IP] 1.3.6.1.2.1.1.1.0" for the sysDescr string and "snmpget -c public -v 2c [IP] 1.3.6.1.2.1.1.5.0" for the sysName string.

Whitelisting

To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is whitelisted will be publicly available here: https://snmpscan.shadowserver.org/exclude.html

Useful Links

Scan Status

Statistics on current run

Other Statistics

If you would like other statistics and information on historical trends, please take a look at: https://snmpscan.shadowserver.org/stats/. Otherwise, stats from the most current scan are listed below.


All SNMP Servers

All SNMP

(Click image to enlarge)

These are the 7.5 million open SNMP servers

If you would like to see more regions click here

SNMP Servers (port 161/udp)

SNMP on 161

(Click image to enlarge)

These are the 5.8 million hosts that respond on port 161

If you would like to see more regions click here

Other SNMP Servers

SNMP that reponded on a different port

(Click image to enlarge)

These are the hosts where SNMP responded from a port other than 161

If you would like to see more regions click here

All SNMP Servers

All SNMP

(Click image to enlarge)

These are the 7.5 million open SNMP servers

SNMP Servers (port 161/udp)

SNMP on 161

(Click image to enlarge)

These are the 5.8 million hosts that respond on port 161

Other SNMP Servers

SNMP that reponded on a different port

(Click image to enlarge)

These are the hosts where SNMP responded from a port other than 161



If you would like us to not scan your network, please let us know and we will remove your networks from the scan.

Likewise, if you have anymore questions please feel free to send us an email at: gro [tod] revfooreswodahs [ta] nacbarssnd

The Shadowserver Foundation