SSDP DDoS Advisory: Highlights

A New DDoS Threat

Overview
In June of 2014, Akamai first observed a new type of
DDoS attack
The attack is a reflection-and-amplification attack
powered by SSDP (Simple Service Discovery Protocol)
The protocol is used by a wide array of networked home
and office devices; more than 4 million devices worldwide
have been found to be vulnerable
The attack is likely to continue evolving and expanding
into the DDoS-for-hire ecosystem

2014 AKAMAI | FASTER FORWARDTM

What is SSDP?
SSDP is short for Simple Service Discovery Protocol, a part of
the Universal Plug and Play (UPnP) protocol standard
Common networked home and office devices, such as
webcams and routers, use it to seamlessly discover each other
on a network, share data, and communicate
Communication takes place using SOAP (Simple Object
Access Protocol), which is used to deliver control messages to
UPnP devices and pass information back
By default, many devices are configured to take SOAP
requests directly from the Internet, making them vulnerable to
abuse by malicious actors

2014 AKAMAI | FASTER FORWARDTM

How does it work?

First, attackers use scanning tools to search the Internet
for internet-facing UPnP devices vulnerable to abuse as
reflectors
Attackers then craft SOAP (Simple Object Access
Protocol) requests with spoofed source IP pointing at the
target, and send them at the identified reflectors
The devices respond with larger SOAP messages
containing the requested information, amplifying the
attack traffic by about 33%

2014 AKAMAI | FASTER FORWARDTM

Observed Distribution and Analysis

A scan by PLXsert found more than 4 million Internet-facing UPnP
devices potentially vulnerable to use as a reflector in this type of
attack
These devices are distributed all over the globe, with Korea, the US,
Canada, China, Argentina, and Japan having the highest number

2014 AKAMAI | FASTER FORWARDTM

System Hardening and Mitigation

Due to the wide distribution and nearly-nonexistent patch and
update processes from vendors, this presents a major
challenge for mitigation and cleanup
As a result of mismanagement and misconfiguration, millions
of vulnerable devices have been placed in homes and
enterprises
To avoid contributing to this threat, download the full threat
advisory at www.stateoftheinternet.com/ssdp

2014 AKAMAI | FASTER FORWARDTM

Observed Campaigns
One campaign successfully mitigated by Akamai used a large
number of UPnP devices to target an Akamai customer
Peak traffic from the attacker reached 54.35 Gbps and 17.95
Mpps
UPnP-based reflection attacks have been directed at a variety
of industries since July, including entertainment, payment
processing, education, media, and hosting
Akamai
Scrubbing Center

San Jose

London

Hong Kong

Washington
D.C.

Frankfurt

Peak bits per

second (bps)

6.60 Gbps

6.60 Gbps

20.40 Gbps

11.25 Gbps 9.50 Gbps

Peak packets per

second (pps)

2.05 Mpps

1.20 Mpps

5.60 Mpps

1.90 Mpps

7.10 Mpps

2014 AKAMAI | FASTER FORWARDTM

Conclusion
The DDoS ecosystem is continually evolving just a few
months after the first observed attack, several tools had
already spread throughout the ecosystem and many attacks
had been launched
The massive volume of vulnerable devices and difficulties of
cleanup mean that the attack is likely to become a continuing
part of the DDoS-for-hire ecosystem
Further development and refinement of UPnP attack is likely to
continue in the near future
Action from firmware, application, and hardware vendors will
be necessary to mitigate this threat

2014 AKAMAI | FASTER FORWARDTM

SSDP Reflection DDoS Threat Advisory

Download the full SSDP Threat Advisory from Akamai
The report includes:

Replication of a reflection attack

Source code from SSDP scanning and attack tools
Details of an attack mitigated by Akamai
Analysis of vulnerable UPnP devices worldwide
How to identify SSDP reflection attacks
Mitigation for vulnerable devices
DDoS mitigation

2014 AKAMAI | FASTER FORWARDTM

About Akamai
Akamai is the leading provider of cloud services for helping enterprises
provide secure, high-performing user experiences on any device,
anywhere. At the core of the Company's solutions is the Akamai
Intelligent Platform providing extensive reach, coupled with unmatched
reliability, security, visibility and expertise. Akamai helps enterprises
around the world optimize the web experience with SaaS cloud
computing solutions including web application acceleration, mobile and
web performance optimization, web media delivery and content delivery
network (CDN) services, Akamai's cloud security solutions protect online
assets against threats such as SQL Injection and DDoS attacks for
maximum information security. Akamai removes the complexities of
connecting the increasingly mobile world, supporting 24/7 consumer
demand, and enabling enterprises to securely leverage the cloud.

2014 AKAMAI | FASTER FORWARDTM