Back to All Scenarios
PASSEDnetwork / snmp_auth_failure
SNMP Authentication Failure Storm from Rogue Scanner
A vulnerability scanner on the network is using incorrect SNMP community strings, generating thousands of SNMP authentication failure traps from every managed device. NMS is overwhelmed.
Pattern
SNMP_TRAP_ERROR
Severity
CRITICAL
Confidence
85%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | SNMP_TRAP_ERROR | SNMP_TRAP_ERROR | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 12 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Network with 200 managed devices. Vulnerability scanner using 'public' community string. Devices configured with 'c0rax$ecure'. SNMP v2c. No rate limiting on traps.
Injected Error Messages (2)
SNMP authentication failure storm — 15,000 SNMP traps received in 10 minutes, snmp community mismatch from 10.10.20.200, trap storm overwhelming NMS, snmp authentication failure across 200 devices
SNMP trap rate critical on Core-SW1 — snmp authentication failure from 10.10.20.200 using wrong community string, 75 traps/second, device CPU elevated from trap processing
Neural Engine Root Cause Analysis
The NMS SNMP Trap Receiver is experiencing a critical authentication failure storm with 15,000 SNMP traps received in 10 minutes from device 10.10.20.200 due to SNMP community string mismatch. The authentication failures are affecting 200 devices and overwhelming the NMS system, likely causing the trap receiver service to become unresponsive or crash. This appears to be either a misconfiguration after a recent change to SNMP community strings or a potential security incident involving unauthorized SNMP access attempts.
Remediation Plan
1. Immediately investigate and isolate the source device 10.10.20.200 generating the trap storm 2. Verify current SNMP community string configuration on NMS vs network devices 3. Check for recent configuration changes that may have caused community string mismatches 4. Restart the SNMP trap receiver service to clear the overload condition 5. Update SNMP community strings on either NMS or affected devices to restore authentication 6. Implement rate limiting on SNMP trap reception to prevent future storms 7. Monitor for continued authentication failures and verify normal trap processing resumes
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjfof4010qobqewor5jx6j