SSDP Amplified Attacks, a Sitting Duck against Sophisticated DDoS Analytics

Stephen Gates
By | October 16, 2014

Posted in: Network Security Trends , Hosting Provider DDoS Protection

The craftiness of cyber attackers never ceases to amaze me and now a new kid on the block has emerged – the SSDP Reflective/Amplified DDoS attack.   Many people may wonder what SSDP is.  SSDP otherwise known as the Simple Service Discovery Protocol is a network based protocol used for the advertisement and discovery of network services.

According to the draft RFC (2000) regarding SSDP, “The Simple Service Discovery Protocol (SSDP) provides a mechanism whereby network clients, with little or no static configuration can discover network services. SSDP accomplishes this by providing for multicast discovery support as well as server based notification and discovery routing.

The SSDP attack falls into the same category as the DNS and NTP amplified DDoS attacks where attackers use a smaller botnet that spoofs their victim’s IP addresses.  Attackers next use that botnet to then query home routers, firewalls, printers, access points and the like, that have the uPnP service open to the internet.

Those devices respond with traffic (packets) that are larger than the original request. The amplified traffic does not go back to the botnet infected machines.  Instead the traffic is sent to the intended victim because of the spoofing of the victim’s addresses by the botnet. It’s a classic reflection/amplification attack that incorporates a slightly new recipe.

According to SANS Internet Storm Center Diary, Wanner (September, 2014), “Over the last few weeks we have detected a significant increase in both scanning for 1900/UDP and a huge increase of 1900/UDP being used for amplified reflective DDOS attacks.”

1900/UDP is the Simple Service Discovery Protocol (SSDP) which is a part of Universal Plug and Play (UPnP). The limited information available to me indicates that the majority of the devices that are being used in these DDOS attacks are DLink routers, and some other devices, most likely unpatched or un-patchable and vulnerable to the UPnP flaws announced by HD Moore in January of 2013. If anybody has any more information on this, or even better yet, packet captures from one of the devices being used as a reflector, please let me know!”

SSDP is a UDP protocol than can be used in Reflective/Amplified DDoS attacks and has an amplification factor of 30.8 according the US Cert Alert dated January 2014, as shown in the table below.  Any one of these protocols can be used in a reflective/amplified attack.

Gates Amplified Attack chart 1

In alignment with the findings from the SANS research, Corero customers have also seen an increase in SSDP scans and reflective attacks as well. Corero First Line of Defense solutions were designed to inspect all traffic at line rate, blocking the attacks in real time, and providing unparalleled visibility into the attack activity.

Corero - Unparalleled view of a real attack:
This following graphs and tables are from a customer network that observed both a spike in link utilization as well as a spike in packets per second around 09:30 AM, Sunday October 5th, 2014.

Gates Amplifed Attack Chart 2

This next chart displays the Corero First Line of Defense technology, blocking the security event that triggered at the same time as the traffic spike – cns-001032.

Gates Amplifed Attack Chart 3

Finally, below is another view of the drill down on event cns-001032. As you can see on the top right – IP Port 17 (UDP) is used.  Also on the left you’ll see the server port 80 (HTTP) and the client port 1900 (SSDP) as well.

The number of unique uPnP devices shown in the middle used in the attack is 1125.  This is a classic example of an SSDP amplified attack and easily detected and mitigated by the Corero First Line of Defense solution.

Gates Amplifed Attack Chart 4

The Corero First Line of Defense technology leverages big data analytics, powered by Splunk, enables users to easily detect and prevent SSDP scans and amplified DDoS attacks using any of the UDP services listed in the US Cert Alert.

Additional information about Corero First Line of Defense solutions and DDoS event visibility can be found at www.corero.com

You May Also Be Interested In: