UPnP used in Amplification/Reflection DDoS Attacks

Number: AL14-033
Date: October 7, 2014

Purpose

The purpose of this Alert is to bring attention to the recent increase of amplification/reflection Distributed Denial of Service (DDoS) attacks using universal plug and play (UPnP).

Assessment

CCIRC is aware of an increase in Universal plug and play (UPnP), also known as Simple Service Discovery Protocol (SSDP), protocol being abused by attackers and used in amplification/reflection DDoS attacks. Affected devices used in these attacks are not the ultimate target, but are unknowing accomplices to a DDoS attack on an external system. As other vulnerabilities and methods of exploiting UDP based protocols for a reflection DDoS are being remediated, UPnP based amplification attacks appear to be on the rise.

UPnP/SSDP is a protocol used to discover and remotely manage a wide range of plug and play devices, such as printers, IP cameras, and home routers. This service is often is enabled by default and requires no authentication. Similar to Domain Name System (DNS) and Network Time Protocol (NTP) reflection attacks, a malicious attacker can send a query with a spoofed source address to a target victim. The vulnerable system will then unknowingly send the response message to the victim resulting in a DDoS attack. It has the ability to produce a 30x amplification factor in an attack.

Suggested action

CCIRC recommends that organizations review the following actions and consider their implementation in the context of their network environment.

References

CCIRC UDP-based Amplification Attacks AL14-002
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2014/al14-002-eng.aspx

CCIRC Mitigation Guidelines for Denial of Service Attacks TR12-001
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2012/tr12-001-eng.aspx

CCIRC DNS Open Resolvers Best Practices TR13-002
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2013/tr13-002-eng.aspx

US-CERT UDP-based Amplification Attacks Alert (TA14-017A)
https://www.us-cert.gov/ncas/alerts/TA14-017A

SANS ISC Diary: 1900/UDP (SSDP) Scanning and DDOS
https://isc.sans.edu/forums/diary/1900UDP+SSDP+Scanning+and+DDOS/18599

P. Ferguson and D. Senie. “BCP 38 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP source Address Spoofing”
http://tools.ietf.org/html/bcp38

F. Baker. “BCP 84 – Ingress Filtering for Multihomed Networks”
http://www.ietf.org/rfc/rfc3704.txt

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: