SSDP Reflection Attacks | DDoS Threat Advisory | Excerpts
SSDP DDoS reflection attacks use plug-and-play devices to massively boost the power of a DDoS attack. The latest such attack, discovered in the summer of 2014 harnesses millions of unsecured network devices such as printers, routers, and smart TVs. Read these excerpts for more, then download the full threat advisory atwww.stateoftheinternet.com/ssdp.
Content
SSDP DDoS Advisory: Highlights
A New DDoS Threat
Overview
• In June of 2014, Akamai first observed a new type of
DDoS attack
• The attack is a reflection-and-amplification attack
powered by SSDP (Simple Service Discovery Protocol)
• The protocol is used by a wide array of networked home
and office devices; more than 4 million devices worldwide
have been found to be vulnerable
• The attack is likely to continue evolving and expanding
into the DDoS-for-hire ecosystem
©2014 AKAMAI | FASTER FORWARDTM
What is SSDP?
• SSDP is short for Simple Service Discovery Protocol, a part of
the Universal Plug and Play (UPnP) protocol standard
• Common networked home and office devices, such as
webcams and routers, use it to seamlessly discover each other
on a network, share data, and communicate
• Communication takes place using SOAP (Simple Object
Access Protocol), which is used to deliver control messages to
UPnP devices and pass information back
• By default, many devices are configured to take SOAP
requests directly from the Internet, making them vulnerable to
abuse by malicious actors
©2014 AKAMAI | FASTER FORWARDTM
How does it work?
• First, attackers use scanning tools to search the Internet
for internet-facing UPnP devices vulnerable to abuse as
reflectors
• Attackers then craft SOAP (Simple Object Access
Protocol) requests with spoofed source IP pointing at the
target, and send them at the identified reflectors
• The devices respond with larger SOAP messages
containing the requested information, amplifying the
attack traffic by about 33%
©2014 AKAMAI | FASTER FORWARDTM
Observed Distribution and Analysis
• A scan by PLXsert found more than 4 million Internet-facing UPnP
devices potentially vulnerable to use as a reflector in this type of
attack
• These devices are distributed all over the globe, with Korea, the US,
Canada, China, Argentina, and Japan having the highest number
©2014 AKAMAI | FASTER FORWARDTM
System Hardening and Mitigation
• Due to the wide distribution and nearly-nonexistent patch and
update processes from vendors, this presents a major
challenge for mitigation and cleanup
• As a result of mismanagement and misconfiguration, millions
of vulnerable devices have been placed in homes and
enterprises
• To avoid contributing to this threat, download the full threat
advisory at www.stateoftheinternet.com/ssdp
©2014 AKAMAI | FASTER FORWARDTM
Observed Campaigns
• One campaign successfully mitigated by Akamai used a large
number of UPnP devices to target an Akamai customer
• Peak traffic from the attacker reached 54.35 Gbps and 17.95
Mpps
• UPnP-based reflection attacks have been directed at a variety
of industries since July, including entertainment, payment
processing, education, media, and hosting
Akamai
Scrubbing Center
San Jose
London
Hong Kong
Washington
D.C.
Frankfurt
Peak bits per
second (bps)
6.60 Gbps
6.60 Gbps
20.40 Gbps
11.25 Gbps 9.50 Gbps
Peak packets per
second (pps)
2.05 Mpps
1.20 Mpps
5.60 Mpps
1.90 Mpps
7.10 Mpps
©2014 AKAMAI | FASTER FORWARDTM
Conclusion
• The DDoS ecosystem is continually evolving – just a few
months after the first observed attack, several tools had
already spread throughout the ecosystem and many attacks
had been launched
• The massive volume of vulnerable devices and difficulties of
cleanup mean that the attack is likely to become a continuing
part of the DDoS-for-hire ecosystem
• Further development and refinement of UPnP attack is likely to
continue in the near future
• Action from firmware, application, and hardware vendors will
be necessary to mitigate this threat
©2014 AKAMAI | FASTER FORWARDTM
SSDP Reflection DDoS Threat Advisory
• Download the full SSDP Threat Advisory from Akamai
• The report includes:
•
•
•
•
•
•
•
Replication of a reflection attack
Source code from SSDP scanning and attack tools
Details of an attack mitigated by Akamai
Analysis of vulnerable UPnP devices worldwide
How to identify SSDP reflection attacks
Mitigation for vulnerable devices
DDoS mitigation
©2014 AKAMAI | FASTER FORWARDTM
About Akamai
Akamai® is the leading provider of cloud services for helping enterprises
provide secure, high-performing user experiences on any device,
anywhere. At the core of the Company's solutions is the Akamai
Intelligent Platform providing extensive reach, coupled with unmatched
reliability, security, visibility and expertise. Akamai helps enterprises
around the world optimize the web experience with SaaS cloud
computing solutions including web application acceleration, mobile and
web performance optimization, web media delivery and content delivery
network (CDN) services, Akamai's cloud security solutions protect online
assets against threats such as SQL Injection and DDoS attacks for
maximum information security. Akamai removes the complexities of
connecting the increasingly mobile world, supporting 24/7 consumer
demand, and enabling enterprises to securely leverage the cloud.
©2014 AKAMAI | FASTER FORWARDTM
A New DDoS Threat
Overview
• In June of 2014, Akamai first observed a new type of
DDoS attack
• The attack is a reflection-and-amplification attack
powered by SSDP (Simple Service Discovery Protocol)
• The protocol is used by a wide array of networked home
and office devices; more than 4 million devices worldwide
have been found to be vulnerable
• The attack is likely to continue evolving and expanding
into the DDoS-for-hire ecosystem
©2014 AKAMAI | FASTER FORWARDTM
What is SSDP?
• SSDP is short for Simple Service Discovery Protocol, a part of
the Universal Plug and Play (UPnP) protocol standard
• Common networked home and office devices, such as
webcams and routers, use it to seamlessly discover each other
on a network, share data, and communicate
• Communication takes place using SOAP (Simple Object
Access Protocol), which is used to deliver control messages to
UPnP devices and pass information back
• By default, many devices are configured to take SOAP
requests directly from the Internet, making them vulnerable to
abuse by malicious actors
©2014 AKAMAI | FASTER FORWARDTM
How does it work?
• First, attackers use scanning tools to search the Internet
for internet-facing UPnP devices vulnerable to abuse as
reflectors
• Attackers then craft SOAP (Simple Object Access
Protocol) requests with spoofed source IP pointing at the
target, and send them at the identified reflectors
• The devices respond with larger SOAP messages
containing the requested information, amplifying the
attack traffic by about 33%
©2014 AKAMAI | FASTER FORWARDTM
Observed Distribution and Analysis
• A scan by PLXsert found more than 4 million Internet-facing UPnP
devices potentially vulnerable to use as a reflector in this type of
attack
• These devices are distributed all over the globe, with Korea, the US,
Canada, China, Argentina, and Japan having the highest number
©2014 AKAMAI | FASTER FORWARDTM
System Hardening and Mitigation
• Due to the wide distribution and nearly-nonexistent patch and
update processes from vendors, this presents a major
challenge for mitigation and cleanup
• As a result of mismanagement and misconfiguration, millions
of vulnerable devices have been placed in homes and
enterprises
• To avoid contributing to this threat, download the full threat
advisory at www.stateoftheinternet.com/ssdp
©2014 AKAMAI | FASTER FORWARDTM
Observed Campaigns
• One campaign successfully mitigated by Akamai used a large
number of UPnP devices to target an Akamai customer
• Peak traffic from the attacker reached 54.35 Gbps and 17.95
Mpps
• UPnP-based reflection attacks have been directed at a variety
of industries since July, including entertainment, payment
processing, education, media, and hosting
Akamai
Scrubbing Center
San Jose
London
Hong Kong
Washington
D.C.
Frankfurt
Peak bits per
second (bps)
6.60 Gbps
6.60 Gbps
20.40 Gbps
11.25 Gbps 9.50 Gbps
Peak packets per
second (pps)
2.05 Mpps
1.20 Mpps
5.60 Mpps
1.90 Mpps
7.10 Mpps
©2014 AKAMAI | FASTER FORWARDTM
Conclusion
• The DDoS ecosystem is continually evolving – just a few
months after the first observed attack, several tools had
already spread throughout the ecosystem and many attacks
had been launched
• The massive volume of vulnerable devices and difficulties of
cleanup mean that the attack is likely to become a continuing
part of the DDoS-for-hire ecosystem
• Further development and refinement of UPnP attack is likely to
continue in the near future
• Action from firmware, application, and hardware vendors will
be necessary to mitigate this threat
©2014 AKAMAI | FASTER FORWARDTM
SSDP Reflection DDoS Threat Advisory
• Download the full SSDP Threat Advisory from Akamai
• The report includes:
•
•
•
•
•
•
•
Replication of a reflection attack
Source code from SSDP scanning and attack tools
Details of an attack mitigated by Akamai
Analysis of vulnerable UPnP devices worldwide
How to identify SSDP reflection attacks
Mitigation for vulnerable devices
DDoS mitigation
©2014 AKAMAI | FASTER FORWARDTM
About Akamai
Akamai® is the leading provider of cloud services for helping enterprises
provide secure, high-performing user experiences on any device,
anywhere. At the core of the Company's solutions is the Akamai
Intelligent Platform providing extensive reach, coupled with unmatched
reliability, security, visibility and expertise. Akamai helps enterprises
around the world optimize the web experience with SaaS cloud
computing solutions including web application acceleration, mobile and
web performance optimization, web media delivery and content delivery
network (CDN) services, Akamai's cloud security solutions protect online
assets against threats such as SQL Injection and DDoS attacks for
maximum information security. Akamai removes the complexities of
connecting the increasingly mobile world, supporting 24/7 consumer
demand, and enabling enterprises to securely leverage the cloud.
©2014 AKAMAI | FASTER FORWARDTM
