SSDP DDoS Advisory: Highlights A New DDoS Threat
Overview • In June of 2014, Akamai first observed a new type of DDoS attack • The attack is a reflection-and-amplification attack powered by SSDP (Simple Service Discovery Protocol) • The protocol is used by a wide array of networked home and office devices; more than 4 million devices worldwide have been found to be vulnerable • The attack is likely to continue evolving and expanding into the DDoS-for-hire ecosystem
©2014 AKAMAI | FASTER FORWARDTM
What is SSDP? • SSDP is short for Simple Service Discovery Protocol, a part of the Universal Plug and Play (UPnP) protocol standard • Common networked home and office devices, such as webcams and routers, use it to seamlessly discover each other on a network, share data, and communicate • Communication takes place using SOAP (Simple Object Access Protocol), which is used to deliver control messages to UPnP devices and pass information back • By default, many devices are configured to take SOAP requests directly from the Internet, making them vulnerable to abuse by malicious actors
©2014 AKAMAI | FASTER FORWARDTM
How does it work? • First, attackers use scanning tools to search the Internet for internet-facing UPnP devices vulnerable to abuse as reflectors • Attackers then craft SOAP (Simple Object Access Protocol) requests with spoofed source IP pointing at the target, and send them at the identified reflectors • The devices respond with larger SOAP messages containing the requested information, amplifying the attack traffic by about 33%
©2014 AKAMAI | FASTER FORWARDTM
Observed Distribution and Analysis • A scan by PLXsert found more than 4 million Internet-facing UPnP devices potentially vulnerable to use as a reflector in this type of attack • These devices are distributed all over the globe, with Korea, the US, Canada, China, Argentina, and Japan having the highest number
©2014 AKAMAI | FASTER FORWARDTM
System Hardening and Mitigation • Due to the wide distribution and nearly-nonexistent patch and update processes from vendors, this presents a major challenge for mitigation and cleanup • As a result of mismanagement and misconfiguration, millions of vulnerable devices have been placed in homes and enterprises • To avoid contributing to this threat, download the full threat advisory at www.stateoftheinternet.com/ssdp
©2014 AKAMAI | FASTER FORWARDTM
Observed Campaigns • One campaign successfully mitigated by Akamai used a large number of UPnP devices to target an Akamai customer • Peak traffic from the attacker reached 54.35 Gbps and 17.95 Mpps • UPnP-based reflection attacks have been directed at a variety of industries since July, including entertainment, payment processing, education, media, and hosting Akamai Scrubbing Center
San Jose
London
Hong Kong
Washington D.C.
Frankfurt
Peak bits per second (bps)
6.60 Gbps
6.60 Gbps
20.40 Gbps
11.25 Gbps 9.50 Gbps
Peak packets per second (pps)
2.05 Mpps
1.20 Mpps
5.60 Mpps
1.90 Mpps
7.10 Mpps
©2014 AKAMAI | FASTER FORWARDTM
Conclusion • The DDoS ecosystem is continually evolving – just a few months after the first observed attack, several tools had already spread throughout the ecosystem and many attacks had been launched • The massive volume of vulnerable devices and difficulties of cleanup mean that the attack is likely to become a continuing part of the DDoS-for-hire ecosystem • Further development and refinement of UPnP attack is likely to continue in the near future • Action from firmware, application, and hardware vendors will be necessary to mitigate this threat
©2014 AKAMAI | FASTER FORWARDTM
SSDP Reflection DDoS Threat Advisory • Download the full SSDP Threat Advisory from Akamai • The report includes: • • • • • • •
Replication of a reflection attack Source code from SSDP scanning and attack tools Details of an attack mitigated by Akamai Analysis of vulnerable UPnP devices worldwide How to identify SSDP reflection attacks Mitigation for vulnerable devices DDoS mitigation
©2014 AKAMAI | FASTER FORWARDTM
About Akamai AkamaiÂŽ is the leading provider of cloud services for helping enterprises provide secure, high-performing user experiences on any device, anywhere. At the core of the Company's solutions is the Akamai Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai helps enterprises around the world optimize the web experience with SaaS cloud computing solutions including web application acceleration, mobile and web performance optimization, web media delivery and content delivery network (CDN) services, Akamai's cloud security solutions protect online assets against threats such as SQL Injection and DDoS attacks for maximum information security. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud.
Š2014 AKAMAI | FASTER FORWARDTM