Radware Emergency Response Team SSDP DDoS Attack Mitigation Version 1.0 Rev. 1 November 10, 2014
TABLE OF CONTENTS EXECUTIVE SUMMARY... 2 SSDP OVERVIEW... 2 SSDP REFLECTION DDOS ATTACK... 4 SSDP ATTACKS MITIGATION... 7 BEHAVIORAL DOS PROTECTION... 7 PROPOSED SIGNATURES... 7 SSDPResponseSampling... 7 SIGNATURE THRESHOLDS... 8 CONNECTION LIMIT... 8 Executive Summary We have seen a significant decrease in DDoS attacks based on Network Time Protocol (NTP) and significant increases in scanning for Universal Plug and Play (UPnP) devices and 1900/UDP being used for Simple Service Discovery Protocol (SSDP) amplified reflective DDoS attacks. This document describes SSDP amplified reflective DDoS attacks which are on the rise. The document describes several protection actions that can mitigate these attacks. Also described in this document are signatures created to detect abnormal rates of SSDP traffic, which may happen due to UPnP scans or SSDP amplification attacks. Each signature is activated only when the anomaly appears in very large numbers, and the customer has the ability to modify the threshold numbers if necessary. SSDP Overview SSDP is a network protocol for advertisement and discovery of network services and presence information. SSDP is the basis of the discovery protocol of UPnP. For example, after connecting a printer that supports UPnP, the printer gets an IP address from the DHCP server, and, using SSDP, notifies that it is available by sending a multicast UDP packet from port 1900 using HTTPU protocol. SSDP uses port 1900 for M-SEARCH requests and for Notify packets. SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 2
An SSDP Notify header contains the following four main fields: Host Packet destination, multicast IP address: 239.255.255.250. Cache-Control The TTL of the notified services. Location Reference of the UPnP device service description, also known as UPnP root device description. NT, NTS Presents the notify type (or notify subtype). For example, UPnP devices on startup use the SSDP notify type NTS:ssdp:alive, and on shutdown, notify NTS:ssdp:byebye. An SSDP M-SEARCH header contains the following two main fields: Host Destination, multicast IP address: 239.255.255.250. ST Search Target. Represents the type of service we search. A UPnP device replies to MSEARCH packet only when: The value of ST is ssdp:rootdevice. The value of ST is ssdp:all. The value of ST matches the services that the device advertised on the SSDP notify packet. Figure 1: Legitimate SSDP Traffic SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 3
SSDP Reflection DDoS Attack SSDP can lead up to a 30-fold amplification of the attack, which might explain why attackers are using it now. The SSDP attack pattern can be divided into the following two main parts: 1. Scan phase The attacker conducts a scan for UPnP devices in order to find amplification factors. Next, the attacker generates a list of active UPnP devices that respond to the attacker s M-SEARCH request. 2. Attack phase The attacker sends a spoofed UDP M-SEARCH packets (containing the IP address of the victim) to the various devices found. The spoofed M-SEARCH packets with an ssdp:rootdevice or ssdp:all is sent and each UPnP device replies with an amplified answer (with a bandwidth amplification factor of up to 30) that contains all the services it provides. Figure 2: An attacker generates a spoofed M-SEARCH. Packets with ST ssdp:all or ssdp:rootdevice. The UPnP devices answers the victim. SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 4
Figure3: Example of M-SEARCH request. The attacker generates a spoofed source IP packet with service type ssdp:all in order to get a reply from every UPnP device. Figure4: Example of SSDP response to M-SEARCH Figure4: Example of 10 SSDP responses to a single M-SEARCH. 10 services offered by device. Amplification factor of 10. The length of the packets is marked. SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 5
SSDP Attacks Mitigation There are several ways to mitigate SSDP attacks using Radware DefensePro. Behavioral DoS Protection The Behavioral DoS (BDoS) Protection mechanism learns the parameters in the policy. Once there is an abnormal rate of traffic relative to the expected rates of the learned baseline, BDoS Protection identifies the suspicious parameters to create a real-time signature. The signature may match the following UDP parameters of any SSDP 200 OK responses containing the following parameters: checksum, id-num, source-port, frag-offset, source-ip, tos, packet-size, destination-port, destination-ip, fragment, ttl. Proposed Signatures SSDPResponseSampling Description These attacks are aimed at the victim side, which may be any server or device. The signature samples SSDP responses, a UDP source port 1900 HTTP packets, and only the destination. If there are two signature matches during the Activation Threshold, the signature action is activated. When activated, DefensePro starts dropping excessive traffic only when the threshold is reached. Signature dp signatures-protection filter basic-filters user create SSDPResponseSamplinpF0 -p UDP -sp 1900 -rt 3 -om ffffffff -op 48545450 -oc 2 -ol 4 dp signatures-protection filter advanced-filters user create SSDPResponseSamplinpG SSDPResponseSamplinpF0 dp signatures-protection attacks user create 0 -n SSDPResponseSamplinp -f SSDPResponseSamplinpG -at 10000 -tty 20 -dt 6000 -tt 5000 Signature Thresholds Signature Name RWID Tracking Type Activation (PPS) Termination (PPS) Drop (PPS) SSDPResponseSampling 1357 (Manual) sampling 10000 5000 6000 SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 6
Connection Limit There is another way to mitigate SSDP attacks: Connection Limit Protection. Limit all UDP source port 1900 connection rates to avoid a high rate of abnormal SSDP traffic (Configuration perspective > Network Protection > Connection Limit Protection). Radware recommends configuring this protection in Report Only mode. North America Radware Inc. International Radware Ltd. 575 Corporate Drive 22 Raoul Wallenberg St. Mahwah, NJ 07430 Tel Aviv 69710, Israel Tel: +1-888-234-5763 Tel: 972 3 766 8666 2014 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 7