UPnP used in Amplification/Reflection DDoS Attacks
Date: October 7, 2014
The purpose of this Alert is to bring attention to the recent increase of amplification/reflection Distributed Denial of Service (DDoS) attacks using universal plug and play (UPnP).
CCIRC is aware of an increase in Universal plug and play (UPnP), also known as Simple Service Discovery Protocol (SSDP), protocol being abused by attackers and used in amplification/reflection DDoS attacks. Affected devices used in these attacks are not the ultimate target, but are unknowing accomplices to a DDoS attack on an external system. As other vulnerabilities and methods of exploiting UDP based protocols for a reflection DDoS are being remediated, UPnP based amplification attacks appear to be on the rise.
UPnP/SSDP is a protocol used to discover and remotely manage a wide range of plug and play devices, such as printers, IP cameras, and home routers. This service is often is enabled by default and requires no authentication. Similar to Domain Name System (DNS) and Network Time Protocol (NTP) reflection attacks, a malicious attacker can send a query with a spoofed source address to a target victim. The vulnerable system will then unknowingly send the response message to the victim resulting in a DDoS attack. It has the ability to produce a 30x amplification factor in an attack.
CCIRC recommends that organizations review the following actions and consider their implementation in the context of their network environment.
- Assess whether UPnP and SSDP are required and consider disabling them.
- If UPnP and SSDP are required, consider placing additional network perimeter devices in line.
- Home users are encouraged to identify and assess any internet facing devices with UPnP enabled.
- Consider rate limiting UDP port 1900.
- Consider implementing source IP verification as outlined in BCP 38 and BCP 84. Links are provided below.
CCIRC UDP-based Amplification Attacks AL14-002
CCIRC Mitigation Guidelines for Denial of Service Attacks TR12-001
CCIRC DNS Open Resolvers Best Practices TR13-002
US-CERT UDP-based Amplification Attacks Alert (TA14-017A)
SANS ISC Diary: 1900/UDP (SSDP) Scanning and DDOS
P. Ferguson and D. Senie. “BCP 38 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP source Address Spoofing”
F. Baker. “BCP 84 – Ingress Filtering for Multihomed Networks”
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: