Preventing SSDP-based DDoS Attacks

Amr Alashaal, Regional Vice President – Middle East at A10 Networks

Lately, DDoS attackers have been increasingly focused on smaller attacks launched persistently over a long period of time. The trend has been prevalent throughout the last couple of years thanks to the COVID-19 pandemic.

That said, the notoriety and capabilities of large-scale DDoS attacks cannot be diminished. In fact, while large-scale attacks might not occur as frequently as their low-volume, high-frequency cousins, they still tend to cause a lot of damage and make headlines at least a couple of times a year. 

At the end of the day, while these large-scale attacks might not be as lucrative as continuously attacking an organization for days or even weeks, these attacks are increasingly used to make a statement. And in a world where state-sponsored

cyberattacks and cyber activism have quickly become a norm, these attacks can be quite damaging.

Amplified reflection attacks take the top position when it comes to size of DDoS attacks. This attack strategy exploits the connectionless nature of the UDP protocol and spoofs the victim’s IP address. 

How do Amplification Attacks Work?

Amplified reflection attacks can wreak havoc on small, medium or large organizations alike, leveraging the amplification factors of many protocols and services commonly used across the internet. The most common types of these attacks can use millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services. 

Attackers send multiple requests to these services, spoofing the victim’s IP address. The servers reply with large amplified responses to the unwitting victim. These particular servers are targeted because they answer to unauthenticated requests and are running applications or protocols with amplification capabilities. 

These attacks have resulted in record-breaking volumetric attacks and with each passing year, new records are reached, both in terms of attack traffic and packets per second.

Amplification Weapons In 2021

In the first half of 2021, the A10 Networks research team observed an additional 2.5 million unique systems that can be used in amplified reflection attacks. 

SSDP stayed at the top of the list of amplification weapons, with over 3.2 million systems exposed to the internet. This is an increase of over 28 percent compared to the previous reporting period.

It is important to note that when it comes to amplified reflection attacks, the number of weapons, while an important metric, is not the defining factor; it’s the bandwidth amplification factor that makes all the difference.

For example, while SSDP has led our list of top DDoS weapons for a year, its amplification factor sits at a little over 30x, which is almost half of the protocols at the bottom of our top-five list, TFTP and DNS, which have amplification factors of 60 and 54 respectively.

How SSDP is Exploited?

The SSDP is used for the advertisement and discovery of network services and is the basis of the discovery protocol of Universal Plug and Play (UPnP). SSDP-based DDoS attacks exploit the protocol by spoofing the victim’s IP address and sending these target systems a large volume of response traffic reflected off plug-and-play devices that are open to the

internet. The response generated by these devices can be larger than 30 times the request size. This large volume of traffic can be devastating to systems and organizations that fall victim to such attacks, making them unresponsive or bringing them down entirely.

Preventing SSDP-based DDoS Attacks

The most straightforward blanket protection against such attacks is to simply block port 1900 traffic sourced from the internet unless there is a specific use case for SSDP across the internet. Alternatively, blocking SSDP traffic from specific geo-locations, where a large number of botnet activity has been detected, can also be used to provide surgical protection.

Organizations need to update defensive strategies by incorporating the Zero Trust model and invest in modern, artificial intelligence/machine learning-based solutions that will not only defeat attacks in real time, but also protect against the unknown.