[SNMP4J] AuthenticationFailure notification with invalid V3 query
Vivi Zhang
vzhang at anuesystems.com
Wed Nov 18 00:27:53 CET 2009
Frank:
I misunderstood your reply.
Your following statement really means : "I have removed the generation
of the authenticationFailure trap in SNMP4J-Agent 1.3.1 to be more
robust against DoS attacks. There is no benefit from having generated
these traps. "
Now, back to my original question: how could I received an
authenticationFailure trap when a V3 user send a request with bad
password, or misspelled name? I am able to receive an authentication
failure trap when the agent receive a query with bad V1 or V2 community
string.
Frank Fock wrote:
> Vivi,
>
> I have problems to follow your thoughts.
> SNMP4J-Agent is already (and still) sending
> out authenticationFailure traps on SNMPV3
> USM errors other than unknownEngineID and
> notInTimeWindow. As you wrote, these are
> excluded because of discovery and to
> impede DoS attacks.
>
> So, where exactly is the problem?
>
> Regards,
> Frank
>
> Vivi Zhang wrote:
>> Frank:
>>
>> Thanks for your response.
>>
>> I am curious why you took the generation of the authenticationFailure
>> trap away for V3, but not V2 nor V1 authentication failure
>> notification. I downloaded the latest agent code SNMP4J-Agent1.3.2.
>> Seems it still supports V1 and V2c authenticationFailure. Should we
>> let user choose if he wants to have authentication failure notification?
>>
>> From coding point of view,
>> The api MPv3::prepareDataElements() associates detail error code
>> with the msgId so that it can be put in response pdu, returns
>> SnmpConstants.SNMP_MP_USM_ERROR in case the variable "status" is not
>> SNMPv3_USM_OK. If the api returns error code in variable "status"
>> back to its caller, the MessageDispatcherImpl::dispatchMessage() can
>> fire authentication failure event when status are not
>> SNMPv3_USM_UNKNOWN_ENGINEID nor
>> SNMPv3_USM_NOT_IN_TIME_WINDOW :
>> switch (status) {
>> case SnmpConstants.SNMP_MP_UNSUPPORTED_SECURITY_MODEL:
>> case SnmpConstants.SNMPv3_USM_UNSUPPORTED_SECURITY_LEVEL:
>> case SnmpConstants.SNMPv3_USM_UNKNOWN_SECURITY_NAME :
>> case SnmpConstants.SNMPv3_USM_ENCRYPTION_ERROR :
>> case SnmpConstants.SNMPv3_USM_DECRYPTION_ERROR :
>> case SnmpConstants.SNMPv3_USM_AUTHENTICATION_ERROR :
>> case SnmpConstants.SNMPv3_USM_AUTHENTICATION_FAILURE :
>> {
>> AuthenticationFailureEvent event =
>> new AuthenticationFailureEvent(this, incomingAddress,
>> sourceTransport, status,
>> wholeMessage);
>> fireAuthenticationFailure(event);
>> break;
>> }
>> The switch statement does not list unknown engine id nor timeliness
>> error since we don't want send out an authentication failure trap for
>> discovery.
>>
>> Of course, we need implement authentication failure event listener
>> registering, and calling authentication notification as we receive
>> the event.
>>
>> Would this help us handling the authentication failure notification?
>>
>> Vivi
>>
>> Frank Fock wrote:
>>> Hi Vivi,
>>>
>>> I have removed the generation of the authenticationFailure
>>> trap in SNMP4J-Agent 1.3.1 to be more robust against DoS
>>> attacks. There is no benefit from having generated these
>>> traps.
>>>
>>> Regards,
>>> Frank
>>>
>>> Vivi Zhang wrote:
>>>> Frank:
>>>>
>>>> The email was send Oct 28. I have not seen reply yet. Guess it got
>>>> lost. Let me try it again.
>>>>
>>>> I am trying to verify that SNMP4J will send out an authentication
>>>> failure notification when it receives an query with bad user name,
>>>> or bad password. Is there a way to verify the notification works
>>>> with SNMP4j test agent?
>>>>
>>>> I found a thread of conversation between you and Marek on:
>>>> http://fixunix.com/snmp/64320-wrong-authorization-alarm-trap-usm.html./
>>>>
>>>> "Indeed, AGENT++ did not generate authenticationFailure notifications
>>>> on usmWrongDigest and usmNotInTimeWindow failures. I have fixed
>>>> that bug
>>>> and you can download the new version
>>>> <http://fixunix.com/#> from http://www.agentpp.com"
>>>> <http://www.agentpp.com>/
>>>>
>>>> I am using AgenPro 2.7.2, SNMP4J is version 1.9.3c, and SNMP4JAgent
>>>> is version 1.2.1d. Does this version contain your fix? Or this
>>>> version contains this bug? Is there any option I can choose during
>>>> code generation phase to make authentication failure notification?
>>>>
>>>> Could you explain which error codes will trigger the notification?
>>>>
>>>> Thanks for your help in advance.
>>>>
>>>> Vivi
>>>>
>>>> Vivi Zhang wrote:
>>>>> Frank:
>>>>>
>>>>> I wonder how to make a notification recipient receive an
>>>>> authenticationFailure notification when an agent received an query
>>>>> with bad user name or bad password. When agent receives a v2 query
>>>>> with bad community string, the api SNMPv2Mib:: incrementCounter()
>>>>> calls notify api and send out notifications. But when the agent
>>>>> receives a v3 query with bad username, no notification is send out.
>>>>>
>>>>> I am using : SNMP4J is version 1.9.3c, and SNMP4JAgent is version
>>>>> 1.2.1d.
>>>>>
>>>>> This is second question. According to CHANGES.txt on snmp4j site:
>>>>>
>>>>> [2009-07-30] v1.3.1 (Requires SNMP4J v1.10.1)
>>>>> ....
>>>>> * Improved: Authentication failure traps are no longer
>>>>> sent on usmNotInTimeWindow and usmUnknownEngineID
>>>>> reports.
>>>>>
>>>>> I am wondering why? If a user has a bad username, would that
>>>>> cause usmNotInTimeWindow error since the second part of discovery
>>>>> requires user credential?
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Vivi
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the SNMP4J
mailing list