SSDP Reflection DDoS Attacks Emulation on BreakingPoint
Simple Service Discovery Protocol (SSDP) is part of the Universal Plug and Play (UPnP) Protocol. UPnP devices such as computers, printers, Wi-Fi access points, etc., can discover each other on the network and establish connection via SSDP. SSDP uses unicast and multicast address (18.104.22.168). It is HTTP like protocol and work with NOTIFY and M-SEARCH methods.
Reflection/Amplification DDoS Attack
In a reflection DDoS attack, the attacker spoofs the target’s IP and sends a request to reflector (it can be server, Wi-Fi access pointer, smart terminal, etc.). The reflector deems the request is from target IP address so it answers the request and “reflects” a response to the target IP.
The request message can be very small however the response message may be very large. Here is an example:
The original request is only 64 bytes but the response message is 3283 bytes. This is an amplification DDoS attack. In this case the attack is amplified 51 times. If there are enough reflectors an attacker with tens of Mbps of network capacity can lead to Gigabyte level attack. The responses from the reflectors take over the bandwidth. Once the amount of malicious traffic is large enough, the target’s network connection can be shutdown easily.
SSDP Reflection Attacks
There are two steps to implement SSDP reflection attacks
Attacker sends an M-SEARCH request as discover packet to a range of IPs. The UPnP-enabled device responds to the request with the HTTP location of its device description file. With these response messages the attacker gathers an IP list of vulnerable devices.
As shown in Figure 2, attacker (22.214.171.124) sends M-SEARCH Request to IPs from 126.96.36.199 to 188.8.131.52. UPnP-enable devices IPs are from 184.108.40.206 to 220.127.116.11. So these devices will reply M-SEARCH Response messages to IP 18.104.22.168. Then the attacker generates a list with IPs 22.214.171.124 – 126.96.36.199.
Figure 2: Scan
The attacker sends malicious requests to the IPs in the lists with spoofed IP and causes a reflected and amplified response to the target. The amplification factor depends on the contents of the device description file.
As shown in Figure 3, attacker sends M-SEARCH Requests with the spoofed IP (188.8.131.52) at the packet level to reflect the device’s response to the intended target. The UPnP devices get these requests and reply M-SEARCH responses to the target (184.108.40.206). The attacker keeps sending M-SEARCH Request with spoofed IP and each request leads to an M-SEARCH response from UPnP device to target IP.
Figure 3: Attack
The emulation is straightforward. Figure 4 is the dashboard of “SSDP Reflection DDoS Attacks.” There are 2 application simulator for the processes “Scan” and “Attack.”
Figure 4: SSDP Reflection DDoS Attacks Test Dashboard
As shown in Figure 5, there are 2 superflows in SSDP DDoS Scan profile. One contains only M-SEARCH Request and another one contains both M-SEARCH Request and M-SEARCH Response. 20% of the IPs is used by UPnP-enable devices in the scan range. (The real number should be 10/65534 ≈0.015%. Use 20% here is to amplify the effect in Scan process. It doesn’t affect attack step result.)
Figure 5: SSDP DDoS Scan Profile
Figure 6: SSDP DDoS Attack Profile
Figure 7 shows network neighborhood configuration.
- Attacker IP: 220.127.116.11
- IP scan range: 18.104.22.168 – 22.214.171.124
- Target IP / Spoofed IP: 126.96.36.199
- UPnP Device IP: 188.8.131.52 – 184.108.40.206
Figure 7: Network Neighborhood Configuration
Figure 8 shows an actual scan package sent from attacker. 1 vulnerable UPnP device returns its location, UUID, description, etc.
Figure 8: Attacker sends M-SEARCH Request to scan and get a reply
Figure 9 shows an SSDP amplification/reflection attack example. Attacker uses a spoofed client (220.127.116.11) sends M-SEARCH request to the vulnerable UPnP devices captured in last step. After getting the M-SEARCH requests these devices send responses to the target.
Figure 9: an actual SSDP amplification/reflection attack example
Figure 10 and 11 shows Ethernet data size and rates. In this attack emulation, the amplification rate is around 2.5.
Figure 10: Ethernet Data
Figure 11: Ethernet Data Rates
This emulation reproduces the whole SSDP Reflection DDoS attacks clearly and straightforwardly. Users can implement their own DDoS attack by just reconfiguring the superflows in the SSDP Attack Application Simulator. The result is reliable. It matches the real world SSDP reflection/amplification DDoS attack very well. So customers of the Ixia BreakingPoint ATI service can use it to validate their DDoS defenses freely.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.