Port 161 (UDP) – SNMP

What runs on port 161?

Port 161 hosts the SNMP (Simple Network Management Protocol) agent, which lets monitoring systems poll devices for status and metrics by reading and writing OIDs in a MIB. It is enabled on routers, switches, firewalls, printers, UPSes, and servers to report interface counters, CPU, temperature, and configuration. Traps and notifications go the other way on port 162.

Why it matters for security

SNMP is a rich source of internal detail, and the older versions protect it poorly. SNMP v1 and v2c authenticate only with a plaintext community string and send everything in cleartext, so anyone who can sniff or guess the community reads a device's full configuration — interface tables, routes, ARP entries, even running configs. With a write community, that access becomes control over the device. Devices shipped with default public/private strings are an easy win for attackers.

How it's attacked

Attackers scan UDP 161 and try default community strings (public, private) and short wordlists to gain read or write access. Read access yields information disclosure of network topology and credentials; write access reconfigures the device. v1/v2c traffic is intercepted in cleartext, and GetBulk requests are abused for reflection/amplification DDoS against third parties.

Hardening checklist

Move to SNMPv3 with authPriv so polling is authenticated and encrypted, and remove the default public/private communities. Disable write access unless it is genuinely needed, bind the agent to a management VLAN with an IP allowlist, and firewall UDP 161 from untrusted networks and the internet. The nmap snippet above probes community strings and system info on devices you are authorized to test.