More than four million UPnP devices could potentially be used as part of a SSDP reflection DDoS attack, the majority of which are in Korea.
More than four million UPnP devices could potentially be used as part of a SSDP reflection DDoS attack, the majority of which are in Korea.

Simple Service Discovery Protocol (SSDP) – which is part of the Universal Plug and Play (UPnP) protocol standard – is being abused to carry out reflection and amplification distributed denial-of-service (DDoS) attacks, according to a PLXsert threat advisory released by Akamai.

SSDP enables networked devices to seamlessly connect with each other, such as computers, printers, internet gateways, Wi-Fi access points, mobile devices, cable modems and gaming consoles, the advisory indicates.

Attackers have found that Simple Object Access Protocol (SOAP) – used to deliver control messages to UPnP devices and pass information – requests “can be crafted to elicit a response that reflects and amplifies a packet, which can be redirected towards a target,” according to the advisory.

The amount of amplification is smaller than other reflection attacks, but it is still an effective attack and becoming increasingly popular, Chad Seaman, senior security response engineer for PLXsert at Akamai, told SCMagazine.com in a Thursday email correspondence.

“The most effective part of this tactic is the millions of possible reflectors that could be used to launch DDoS attacks,” Seaman said. “With these devices being so widely deployed [in] mostly consumer products, they'll likely to go unpatched and unmonitored.”

Specifically, PLXsert found that more than four million internet-facing UPnP devices could potentially be used as part of a SSDP reflection DDoS attack, or roughly 38 percent of 11 million UPnP devices, the majority of which are in Korea, the U.S., Canada, China, Argentina and Japan, the advisory indicates.

Korea claimed the number one spot due to a single, very popular device, Seaman said, preferring not to get into specifics.

“When you're pushing hardware that could be deployed to millions, security should take as much consideration as functionality,” Seaman said. “If this single manufacturer had simply implemented a properly configured UPnP/SSDP client and/or firewall/routing rules, hundreds of thousands of devices wouldn't be vulnerable.”

Attackers are directing the attacks at a wide range of industries, including entertainment, payment processing, education, media and hosting, according to the advisory. In one attack mitigated by Akamai, the company observed traffic peaking at 54.35 Gigabits per second and 17.85 million packets per second.

“As a home user, disable UPnP on your routers and public facing devices that don't require it,” Seaman said. “As a device manufacturer, push firmware updates that properly scope UPnP functionality to the LAN where it belongs.”

Seaman said that victims will see traffic coming from source port 1900. “One method would be to block incoming UDP traffic from port 1900 on public facing services if your organization can handle the overall bandwidth,” he said.