Haiyang Si
R&D Engineer 2
Blog

SSDP Reflection DDoS Attacks Emulation on BreakingPoint

October 27, 2014 by Haiyang Si

SSDP Overview

Simple Service Discovery Protocol (SSDP) is part of the Universal Plug and Play (UPnP) Protocol. UPnP devices such as computers, printers, Wi-Fi access points, etc., can discover each other on the network and establish connection via SSDP. SSDP uses unicast and multicast address (239.255.255.250). It is HTTP like protocol and work with NOTIFY and M-SEARCH methods.

Reflection/Amplification DDoS Attack

In a reflection DDoS attack, the attacker spoofs the target’s IP and sends a request to reflector (it can be server, Wi-Fi access pointer, smart terminal, etc.). The reflector deems the request is from target IP address so it answers the request and “reflects” a response to the target IP. 

1

The request message can be very small however the response message may be very large. Here is an example:

2

The original request is only 64 bytes but the response message is 3283 bytes. This is an amplification DDoS attack. In this case the attack is amplified 51 times. If there are enough reflectors an attacker with tens of Mbps of network capacity can lead to Gigabyte level attack. The responses from the reflectors take over the bandwidth. Once the amount of malicious traffic is large enough, the target’s network connection can be shutdown easily.

SSDP Reflection Attacks

There are two steps to implement SSDP reflection attacks

  1. Scan

Attacker sends an M-SEARCH request as discover packet to a range of IPs. The UPnP-enabled device responds to the request with the HTTP location of its device description file. With these response messages the attacker gathers an IP list of vulnerable devices.

As shown in Figure 2, attacker (1.1.0.1) sends M-SEARCH Request to IPs from 1.200.0.2 to 1.200.255.255. UPnP-enable devices IPs are from 1.200.0.200 to 1.200.0.209. So these devices will reply M-SEARCH Response messages to IP 1.1.0.1. Then the attacker generates a list with IPs 1.200.0.200 – 1.200.0.209.

3

Figure 2: Scan

  1. Attack

The attacker sends malicious requests to the IPs in the lists with spoofed IP and causes a reflected and amplified response to the target. The amplification factor depends on the contents of the device description file.

As shown in Figure 3, attacker sends M-SEARCH Requests with the spoofed IP (1.1.0.3) at the packet level to reflect the device’s response to the intended target. The UPnP devices get these requests and reply M-SEARCH responses to the target (1.1.0.3). The attacker keeps sending M-SEARCH Request with spoofed IP and each request leads to an M-SEARCH response from UPnP device to target IP.

4

Figure 3: Attack

Emulation

The emulation is straightforward. Figure 4 is the dashboard of “SSDP Reflection DDoS Attacks.” There are 2 application simulator for the processes “Scan” and “Attack.”

5

Figure 4: SSDP Reflection DDoS Attacks Test Dashboard

As shown in Figure 5, there are 2 superflows in SSDP DDoS Scan profile. One contains only M-SEARCH Request and another one contains both M-SEARCH Request and M-SEARCH Response. 20% of the IPs is used by UPnP-enable devices in the scan range. (The real number should be 10/65534 ≈0.015%. Use 20% here is to amplify the effect in Scan process. It doesn’t affect attack step result.)

6

Figure 5: SSDP DDoS Scan Profile

7

Figure 6: SSDP DDoS Attack Profile

Figure 7 shows network neighborhood configuration.

  • Attacker IP: 1.1.0.2
  • IP scan range: 1.200.0.2 – 1.200.255.255
  • Target IP / Spoofed IP: 1.1.0.3
  • UPnP Device IP: 1.200.0.200 – 1.200.0.209

8

Figure 7: Network Neighborhood Configuration

Figure 8 shows an actual scan package sent from attacker. 1 vulnerable UPnP device returns its location, UUID, description, etc.

9

Figure 8: Attacker sends M-SEARCH Request to scan and get a reply

Figure 9 shows an SSDP amplification/reflection attack example. Attacker uses a spoofed client (1.1.0.3) sends M-SEARCH request to the vulnerable UPnP devices captured in last step. After getting the M-SEARCH requests these devices send responses to the target.

10

Figure 9: an actual SSDP amplification/reflection attack example

Figure 10 and 11 shows Ethernet data size and rates. In this attack emulation, the amplification rate is around 2.5.

11

Figure 10: Ethernet Data

12

Figure 11: Ethernet Data Rates

Conclusion

This emulation reproduces the whole SSDP Reflection DDoS attacks clearly and straightforwardly. Users can implement their own DDoS attack by just reconfiguring the superflows in the SSDP Attack Application Simulator. The result is reliable. It matches the real world SSDP reflection/amplification DDoS attack very well. So customers of the Ixia BreakingPoint ATI service can use it to validate their DDoS defenses freely.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.