SSDP Attack Learning Objectives

What is a SSDP DDoS Attack?

A Simple Service Discovery Protocol (SSDP) attack is a reflection-based distributed denial-of-service (DDoS) attack that exploits Universal Plug and Play (UPnP) networking protocols in order to send an amplified amount of traffic to a targeted victim, overwhelming the target’s infrastructure and taking their web resource offline.

How does a SSDP Attack work?

Under normal circumstances, the SSDP protocol is used to allow UPnP devices to broadcast their existence to other devices on the network. For example, when a UPnP printer is connected to a typical network, after it receives an IP address, the printer is able to advertise its services to computers on the network by sending a message to a special IP address called a multicast address. The multicast address then tells all the computers on the network about the new printer. Once a computer hears the discovery message about the printer, it makes a request to the printer for a complete description of its services. The printer then responds directly to that computer with a complete list of everything it has to offer. An SSDP attack exploits that final request for services by asking the device to respond to the targeted victim.

Here are the 6 steps of a typical SSDP DDoS attack:

  1. First the attacker conducts a scan looking for plug-and-play devices that can be utilized as amplification factors.
  2. As the attacker discovers networked devices, they create a list of all the devices that respond.
  3. The attacker creates a UDP packet with the spoofed IP address of the targeted victim.
  4. The attacker then uses a botnet to send a spoofed discovery packet to each plug-and-play device with a request for as much data as possible by setting certain flags, specifically ssdp:rootdevice or ssdp:all.
  5. As a result, each device will send a reply to the targeted victim with an amount of data up to about 30 times larger than the attacker’s request.
  6. The target then receives a large volume of traffic from all the devices and becomes overwhelmed, potentially resulting in denial-of-service to legitimate traffic.

How is a SSDP Attack mitigated?

For network administrators, a key mitigation is to block incoming UDP traffic on port 1900 at the firewall. Provided the volume of traffic isn’t enough to overwhelm the network infrastructure, filtering traffic from this port will likely be able to mitigate such an attack. For a deeper dive on SSDP attacks and more mitigation strategies.

Do you want to know if you have a vulnerable SSDP service that can be used in a DDoS attack? As mentioned before, we’ve created a free tool to check to see if your public IP has any exposed SSDP devices. To check for a SSDP DDoS vulnerability, you can use this free tool.

Open SSDP is a vulnerability

It’s not a novelty that allowing UDP port 1900 traffic from the Internet to your home printer or such is not a good idea. This problem has been known since at least January 2013:

Authors of SSDP clearly didn’t give any thought to UDP amplification potential. There are a number of obvious recommendations about future use of SSDP protocol:

  • The authors of SSDP should answer if there is any real world use of unicast M-SEARCH queries. From what I understand M-SEARCH only makes practical sense as a multicast query in local area network.
  • Unicast M-SEARCH support should be either deprecated or at least rate limited, in similar way to DNS Response Rate Limit techniques.
  • M-SEARCH responses should be only delivered to local network. Responses routed over the network make little sense and open described vulnerability.

In the meantime we recommend:

  • Network administrators should ensure inbound UDP port 1900 is blocked on firewall.
  • Internet service providers should never allow IP spoofing to be performed on their network. IP spoofing is the true root cause of the issue.
  • Internet service providers should allow their customers to use BGP flowspec to rate limit inbound UDP source port 1900 traffic, to relieve congestion during large SSDP attacks.
  • Internet providers should internally collect netflow protocol samples. The netflow is needed to identify the true source of the attack. With netflow it’s trivial to answer questions like: “Which of my customers sent 6.4Mpps of traffic to port 1900?”. Due to privacy concerns we recommend collecting netflow samples with largest possible sampling value: 1 in 64k packets. This will be sufficient to track DDoS attacks while preserving decent privacy of single customer connections.
  • Developers should not roll out their own UDP protocols without careful consideration of UDP amplification problems. UPnP should be properly standardized and scrutinized.
  • End users are encouraged to use the script scan their network for UPnP enabled devices. Consider if these devices should be allowed to access to the internet.

Furthermore, we prepared on online checking website. Click if you want to know if your public IP address has a vulnerable SSDP service: