Security Glossary: DDoS

SSDP Amplification DDoS Attack

SSDP Amplification DDoS Attack

A Simple Service Discovery Protocol (SSDP) attack is a type of reflection-based distributed denial-of-service (DDoS) attack that leverages the Universal Plug and Play (UPnP) networking protocols. In an SSDP attack, the attacker sends a large volume of traffic to a targeted victim by exploiting the SSDP, which is used for the discovery of UPnP devices on a network. The goal of the attack is to overwhelm the target’s infrastructure, rendering their web resources inaccessible.

SSDP is a protocol used for the advertisement and discovery of network services and presence information. It operates over UDP and is commonly used in home networks for the seamless communication of devices like printers, routers, and media servers. However, its open and stateless nature makes it susceptible to abuse by attackers.

In an SSDP attack, the attacker sends a request to an SSDP-enabled device with a spoofed source IP address, which is the IP address of the target. The device then responds with a significantly larger amount of data to the target’s IP address, resulting in an amplified traffic volume directed at the victim. This amplification effect can lead to a substantial increase in bandwidth consumption, overwhelming the target’s network and causing service disruptions.

Key characteristics of SSDP attacks include:

  1. Reflection: The attack reflects traffic off SSDP-enabled devices to the target, hiding the attacker’s identity.
  2. Amplification: The attacker exploits the SSDP protocol to generate a larger response from the device than the original request, amplifying the attack’s impact.
  3. UDP Protocol: The use of UDP allows for easy IP address spoofing, as it does not require a connection handshake.

To mitigate SSDP attacks, organizations can implement security measures such as disabling UPnP on devices exposed to the internet, filtering and blocking SSDP traffic at the network perimeter, and monitoring network traffic for signs of unusual activity. Regularly updating and patching network devices can also reduce the risk of exploitation.