14 DAY TRIAL // The abuse of communication protocols used in millions of home devices, from routers and web cams to TVs, media servers and printers, has gained massive popularity among attackers as they found that the gadgets could be used to direct reflection and amplification distributed denial-of-service (DDoS) attacks.
UPnP devices rely on the Simple Service Discovery Protocol (SSDP) to detect each other and the Simple Object Access Protocol (SOAP) to receive control messages and pass back the information.
By abusing this communication scheme, attackers can direct massive amounts of traffic to an intended victim in order to disrupt its services.
Over four million devices vulnerable to reflection DDoS attacks
Akamai’s Prolexic Security Engineering & Response Team (PLXsert) first received evidence of DDoS attacks leveraging home devices in July, and since then, they have grown to become quite common, said Stuart Scholly, vice president of the security business unit at Akamai.
According to research from the company, there are 4.1 million Internet-facing UPnP devices that can be exploited for reflection DDoS.
In a laboratory experiment, PLXsert researchers measured an amplification factor of 33%. After getting a list of the vulnerable devices, they receive a malicious request from the attacker who spoofs the IP address of the target. The devices’ response, which can be their description file, is then sent (reflected) to the victim; with enough responses, a denial-of-service condition is created.
Python scripts used for SSDP scanning and attacking
The vulnerable devices are discovered through scanning for port 1900, which is used by SSDP. PLXsert discovered that cybercriminals relied on a Python script (ssdpscanner.py) to determine the reflectors. The operation is carried out by providing a range of IP addresses for mass scanning.
“Malicious actors use a well-known packet manipulation library (Scapy) to craft raw packets. The Scapy library allows the malicious actors to generate packet protocols easily and simplifies IP spoofing,” the PLXsert advisory says.
Another Python script (ssdpattack.py) is used for running the attack. It is a different version of the scanning tool that includes the IP source spoofing at the packet level; this achieves reflection of the attack. It appears that this tool is designed to run until it is killed manually.
Akamai mitigated an attack of this sort and saw peaks of 54.35Gbps and 17.85 million packets sent to the target every second.
These findings from PLXsert confirm the conclusion from other companies in the field that observed less interest in abusing NTP servers and increased attention to the SSDP-based DDoS incidents.