Simple Service Discovery Protocol (SSDP attack) is a network-based protocol which is used for scanning or searching for available network devices. SSDP is based on the discovery of universal plug-and-play (UPnP) devices that facilitate easy communication between computer systems and network-based devices using the 1900/UDP source port.
The universal plug-and-play (UPnP) devices include routers, printers, media servers, IP cameras, smart TVs, home automation systems, network storage servers, etc.
A Simple Service Discovery Protocol (SSDP) DDoS attack is a reflection-based DDoS attack where the attacker first exploits vulnerable universal plug-and-play (UPnP) devices, spoofs their IP addresses and forms a botnet. The attacker then uses this botnet to flood a target’s network infrastructure and bring down their web resources.
How does SSDP DDoS Attack Work?
- To accomplish an SSDP DDoS attack, firstly, an attacker scans for any available universal plug-and-play (UPnP) devices that can be exploited.
- Then the available universal plug-and-play (UPnP) devices that respond to the attacker’s request are listed.
- The attacker then creates user datagram protocol (UDP) packets which contain the spoofed IP address of the victim.
- Then the spoofed discovery packet with an M-SEARCH request is sent to each universal plug-and-play (UPnP) device through a botnet. The request is sent with the aim to fetch as much data as possible as a response, by setting certain flags such as ssdp: root device or ssdp: all (Value of search target).
- As the result, each universal plug-and-play (UPnP) device sends an amount of data up to about 30 times more amplified than the attacker’s request to the target victim.
- This leads to denial of service to legitimate traffic as the target gets flooded with a large amount of traffic received from all the universal plug-and-play (UPnP) devices.
How Can SSDP DDoS Attacks be Mitigated?
The following ways can be implemented to mitigate SSDP DDoS attacks –- To mitigate SSDP DDoS attacks, behavioural DoS (BDoS) mitigation can be installed, which analyzes the traffic behaviour using machine learning and data analysis. If an abnormal rate of traffic is observed then the BDoS protection will automatically identify the suspicious traffic and create real-time signatures. Then with the help of the real-time signatures created, the incoming UDP traffic is analyzed and mitigated.
- The incoming UDP traffic can be filtered or directly blocked on port 1900 with the help of a network firewall.
- DDoS mitigation solutions can be adapted to monitor and mitigate various types of DDoS attacks.
- Another way to mitigate SSDP DDoS attacks is Connection Limit Protection which limits all the UDP source port 1900 connection rates. This prevents a high rate of abnormal SSDP traffic.