Amplification DDoS Attacks Reloaded?

When talking DDoS, most of the people that aren’t afraid to use words like DNS or ICMP, are left with the impression that DDoS is a simple, yet pesky activity. In fact, this is hardly the case. Although compared to some forms of cyber-attacks, Denial of Service attacks are very straight forward, being a true DDoS master is miles away from the thousands of self-proclaimed hackers. Most of the DDoS-ers are actually script-kiddies and wannabe hackers just downloading and using bots, toolkits and scripts created by true masterminds. When it comes to innovation and the abuse of new intrusion vectors, it is clear who runs the parade.

One of the newest methods of launching large-scale DDoS attack campaigns is the use of the Simple Service Discovery Protocol (SSDP for short). This protocol is used for the discovery of network services, devices and presence information. It is the basis for locating Plug & Play devices and runs on port 1900. SSDP uses UDP as its transport protocol; and is part of the Universal Plug and Play Protocol Standard. What is special about this attack vector is that it amplifies attack traffic and compared to the traditional protocols, can be used to launch much larger attacks using the same number of bots in a botnet. So in a way this is an alternative to the popular NTP and DNS reflection methods that have been used widely in the past year. Compared to the NTP DDoS attacks, which provide an amplification factor of 500, the SSDP only provides an amplification factor of 30, i.e. considerably lower.

You may ask yourself: Why use a method with lower amplification factor than the older and more effective one? The answer is very simple: SSDP is used in a number of smart, end-user appliances like printers, SmartTVs, routers, webcams etc. The protocol is enabled by default on most of them, which makes for millions of possible devices to use in large-scale DDoS campaigns. There are some very noticeable weaknesses in these devices that make them suitable for use in DDoS attacks like the lack of authentication implementation, programming flaws or the ease with which privileged capabilities can be obtained. These devices are also unprotected from malware, compared to servers and PCs, which makes their use in malicious activities almost unhindered.

In general amplification DDoS attacks comprise of requests with a given size that return responses of much larger size and are thus called amplification and reflection attacks. The way amplification works with this protocol is as follows: first the attacker need to find vulnerable devices, this is done by sending a SOAP request (Simple Object Access Protocol used to deliver messages to UPnP devices) the device returns an answer containing an XML file. After a list with the devices is compiled, the malicious actor will command them to send responses to a malicious request, containing the device description, thus providing the larger answer, creating the amplification effect. The IP addresses of the requests are spoofed so that they point to the targeted network or system and all answers are returned to the target.

SSDP is already responsible for a few large scale attacks, some exceeding 200 Gbps. This protocol will in no way replace NTP amplification attacks with their enormous amplification vector, but will complement the already complicated DDoS landscape. The SSDP DDoS attacks are also hard to mitigate due to the large number of UPnP enabled devices that are distributed globally thus preventing mitigation by blocking certain IP address ranges. Possible prevention measures include disabling UPnP services on devices and blocking source port 1900. However these measures can’t prevent being targeted in DDoS campaign that involves SSDP attack vectors upon many others that are in active use. The only real protection is trusting a DDoS mitigation vendor of high quality and efficiency.

Leave a Reply

Your email address will not be published. Required fields are marked *