Radware Emergency Response Team. SSDP DDoS Attack Mitigation



Similar documents
Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Analysis of a DDoS Attack

DDoS Protection Technology White Paper

How To Prevent DoS and DDoS Attacks using Cyberoam

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Firewall Defaults and Some Basic Rules

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Application Security Backgrounder

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

FortKnox Personal Firewall

DDoS Mitigation Techniques

LinkProof And VPN Load Balancing

Content Inspection Director

Characterization and Analysis of NTP Amplification Based DDoS Attacks

SSDP REFLECTION DDOS ATTACKS

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Radware s Attack Mitigation Solution On-line Business Protection

Application Delivery Controller (ADC) Implementation Load Balancing Microsoft SharePoint Servers Solution Guide

TDC s perspective on DDoS threats

AppWall SIEM Integration Guide

IPFIX IE Extensions for DDoS Attack Detection draft-fu-dots-ipfix-extension-01

DNS Best Practices. Mike Jager Network Startup Resource Center

SHARE THIS WHITEPAPER

Version Highlights. CertainT 100 SSL Accelerator. Version International. New hardware and software version. North America

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

First Line of Defense

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Radware s Multi-homing Solutions

Solution of Exercise Sheet 5

DDoS Protection on the Security Gateway

Firewalls and Intrusion Detection

Introducing FortiDDoS. Mar, 2013

CloudFlare advanced DDoS protection

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

Overview. Firewall Security. Perimeter Security Devices. Routers

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Reducing the Impact of Amplification DDoS Attack

DNS amplification attacks

Ed. 00 GWIM. Firewall Handbook

How to Make the Client IP Address Available to the Back-end Server

CS 356 Lecture 16 Denial of Service. Spring 2013

Acquia Cloud Edge Protect Powered by CloudFlare

SNMP OIDs. Content Inspection Director (CID) Recommended counters And thresholds to monitor. Version January, 2011

Universal plug and play (UPnP) mapping attacks

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

PROFESSIONAL SECURITY SYSTEMS

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Network- vs. Host-based Intrusion Detection

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

McAfee Network Security Platform [formerly IntruShield] Denial-of-Service [DoS] Prevention Techniques Revision C Revised on: 18-December-2013

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

UTT Technologies offers an effective solution to protect the network against 80 percent of internal attacks:

Monitor network traffic in the Dashboard tab

On-Premises DDoS Mitigation for the Enterprise

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Security Toolsets for ISP Defense

Firewall Firewall August, 2003

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

NetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

Minimal network traffic is the result of SiteAudit s design. The information below explains why network traffic is minimized.

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.

Intro to Firewalls. Summary

Multi-Homing Gateway. User s Manual

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna Marc Heuse

UPnP Device Architecture 1.0

Check Point DDoS Protector

Version 0.1 June Xerox WorkCentre 7120 Fax over Internet Protocol (FoIP)

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Reducing the impact of DoS attacks with MikroTik RouterOS

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

VoIP LAB. 陳 懷 恩 博 士 助 理 教 授 兼 所 長 國 立 宜 蘭 大 學 資 訊 工 程 研 究 所 TEL: # 255

DDoS Overview and Incident Response Guide. July 2014

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

DDoS Attacks. An open-source recipe to improve fast detection and automate mitigation techniques

First Line of Defense

Personal Firewall Default Rules and Components

Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard. January Cristian Velciov. (+40)

Firewall. User Manual

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

How To Mitigate A Ddos Attack

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Denial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)

Testing and Integration Group Deploying Alteon NG with Citrix XenDesktop

Lab VI Capturing and monitoring the network traffic

How To Block A Ddos Attack On A Network With A Firewall

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Radware s Behavioral Server Cracking Protection

Transcription:

Radware Emergency Response Team SSDP DDoS Attack Mitigation Version 1.0 Rev. 1 November 10, 2014

TABLE OF CONTENTS EXECUTIVE SUMMARY... 2 SSDP OVERVIEW... 2 SSDP REFLECTION DDOS ATTACK... 4 SSDP ATTACKS MITIGATION... 7 BEHAVIORAL DOS PROTECTION... 7 PROPOSED SIGNATURES... 7 SSDPResponseSampling... 7 SIGNATURE THRESHOLDS... 8 CONNECTION LIMIT... 8 Executive Summary We have seen a significant decrease in DDoS attacks based on Network Time Protocol (NTP) and significant increases in scanning for Universal Plug and Play (UPnP) devices and 1900/UDP being used for Simple Service Discovery Protocol (SSDP) amplified reflective DDoS attacks. This document describes SSDP amplified reflective DDoS attacks which are on the rise. The document describes several protection actions that can mitigate these attacks. Also described in this document are signatures created to detect abnormal rates of SSDP traffic, which may happen due to UPnP scans or SSDP amplification attacks. Each signature is activated only when the anomaly appears in very large numbers, and the customer has the ability to modify the threshold numbers if necessary. SSDP Overview SSDP is a network protocol for advertisement and discovery of network services and presence information. SSDP is the basis of the discovery protocol of UPnP. For example, after connecting a printer that supports UPnP, the printer gets an IP address from the DHCP server, and, using SSDP, notifies that it is available by sending a multicast UDP packet from port 1900 using HTTPU protocol. SSDP uses port 1900 for M-SEARCH requests and for Notify packets. SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 2

An SSDP Notify header contains the following four main fields: Host Packet destination, multicast IP address: 239.255.255.250. Cache-Control The TTL of the notified services. Location Reference of the UPnP device service description, also known as UPnP root device description. NT, NTS Presents the notify type (or notify subtype). For example, UPnP devices on startup use the SSDP notify type NTS:ssdp:alive, and on shutdown, notify NTS:ssdp:byebye. An SSDP M-SEARCH header contains the following two main fields: Host Destination, multicast IP address: 239.255.255.250. ST Search Target. Represents the type of service we search. A UPnP device replies to MSEARCH packet only when: The value of ST is ssdp:rootdevice. The value of ST is ssdp:all. The value of ST matches the services that the device advertised on the SSDP notify packet. Figure 1: Legitimate SSDP Traffic SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 3

SSDP Reflection DDoS Attack SSDP can lead up to a 30-fold amplification of the attack, which might explain why attackers are using it now. The SSDP attack pattern can be divided into the following two main parts: 1. Scan phase The attacker conducts a scan for UPnP devices in order to find amplification factors. Next, the attacker generates a list of active UPnP devices that respond to the attacker s M-SEARCH request. 2. Attack phase The attacker sends a spoofed UDP M-SEARCH packets (containing the IP address of the victim) to the various devices found. The spoofed M-SEARCH packets with an ssdp:rootdevice or ssdp:all is sent and each UPnP device replies with an amplified answer (with a bandwidth amplification factor of up to 30) that contains all the services it provides. Figure 2: An attacker generates a spoofed M-SEARCH. Packets with ST ssdp:all or ssdp:rootdevice. The UPnP devices answers the victim. SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 4

Figure3: Example of M-SEARCH request. The attacker generates a spoofed source IP packet with service type ssdp:all in order to get a reply from every UPnP device. Figure4: Example of SSDP response to M-SEARCH Figure4: Example of 10 SSDP responses to a single M-SEARCH. 10 services offered by device. Amplification factor of 10. The length of the packets is marked. SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 5

SSDP Attacks Mitigation There are several ways to mitigate SSDP attacks using Radware DefensePro. Behavioral DoS Protection The Behavioral DoS (BDoS) Protection mechanism learns the parameters in the policy. Once there is an abnormal rate of traffic relative to the expected rates of the learned baseline, BDoS Protection identifies the suspicious parameters to create a real-time signature. The signature may match the following UDP parameters of any SSDP 200 OK responses containing the following parameters: checksum, id-num, source-port, frag-offset, source-ip, tos, packet-size, destination-port, destination-ip, fragment, ttl. Proposed Signatures SSDPResponseSampling Description These attacks are aimed at the victim side, which may be any server or device. The signature samples SSDP responses, a UDP source port 1900 HTTP packets, and only the destination. If there are two signature matches during the Activation Threshold, the signature action is activated. When activated, DefensePro starts dropping excessive traffic only when the threshold is reached. Signature dp signatures-protection filter basic-filters user create SSDPResponseSamplinpF0 -p UDP -sp 1900 -rt 3 -om ffffffff -op 48545450 -oc 2 -ol 4 dp signatures-protection filter advanced-filters user create SSDPResponseSamplinpG SSDPResponseSamplinpF0 dp signatures-protection attacks user create 0 -n SSDPResponseSamplinp -f SSDPResponseSamplinpG -at 10000 -tty 20 -dt 6000 -tt 5000 Signature Thresholds Signature Name RWID Tracking Type Activation (PPS) Termination (PPS) Drop (PPS) SSDPResponseSampling 1357 (Manual) sampling 10000 5000 6000 SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 6

Connection Limit There is another way to mitigate SSDP attacks: Connection Limit Protection. Limit all UDP source port 1900 connection rates to avoid a high rate of abnormal SSDP traffic (Configuration perspective > Network Protection > Connection Limit Protection). Radware recommends configuring this protection in Report Only mode. North America Radware Inc. International Radware Ltd. 575 Corporate Drive 22 Raoul Wallenberg St. Mahwah, NJ 07430 Tel Aviv 69710, Israel Tel: +1-888-234-5763 Tel: 972 3 766 8666 2014 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A SSDP DDoS Attack Mitigation: Radware Emergency Response Team, November 10, 2014 Page 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information