1900/UDP (SSDP) Scanning and DDOS

Published: 2014-08-31. Last Updated: 2014-08-31 15:50:33 UTC
by Rick Wanner (Version: 1)
2 comment(s)

Over the last few weeks we have detected a significant increase in both scanning for 1900/UDP and a huge increase of 1900/UDP being used for amplified reflective DDOS attacks.  1900/UDP is the Simple Service Discovery Protocol (SSDP) which is a part of Universal Plug and Play (UPnP). The limited information available to me indicates that the majority of the devices that are being used in these DDOS attacks are DLink routers, and some other devices, most likely unpatched or unpatchable and vulnerable to the UPnP flaws announced by HD Moore in January of 2013.

In the corresponding interval we have also seen a significant decrease in Network Time Protocol (NTP) based DDOS.  The big question in my mind is why have the attackers decided to switch from NTP, which has a maximum amplification factor of 600 plus, to SSDP which has an amplification factor of approximately 30.

If anybody has any more information on this, or even better yet, packet captures from one of the devices being used as a reflector, please let me know!

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: DDOS UPnP
2 comment(s)

Comments

My guess would be because of the amount of available SSDP systems out there: https://ssdpscan.shadowserver.org/
Speaking of unpatched routers, I've been getting a lot of HNAP requests lately. Looks like someone is scanning for vulnerable routers.

Diary Archives