top of page

SSDP Amplification Attack

Acronym:

SSDP Amplification Attack

Full Name:

SSDP Amplification Attack

RFC:

6970

Ports:

1900 UDP

Level:

DDoS Attack / Basic

domain name system- how it work, threats and mitigation

SSDP Amplification Attack Explanation

  • Attacker scans network looking for plug-and-play devices that can be used to amplify the attack and creates a list of all the devices that respond.



  • Attacker designs an UDP packet spoffing the IP address of the victim. The objective is to exploit the final plug-and-play request for services by asking the devices to respond to the target.


  • After this, the attacker normally uses a botnet to send a spoofed discovery packet to the plug-and-play devices with a request for data as big a possible, this is done by setting certain flags.


  • This results on massive replies to the victim with an amount of data that is larger than the attacker request, making the target to be overwhelmed and probably resulting on a denial of service

How SSDP Amplification Attack works



IoA for SSDP Amplification Attack

  • Scan for UPnP Devices >Search for UDP port 1900 traffic.


  • UDP Packet spoofed ip address > Search for destination of UDP port 1900 traffic. Should come from several host to single destination, be continuous.


  • May vary depending on attack vector.


  • Sometimes traffic can be directed from port 1900 to 7 port (echo)

Why Should you worry?

  • DDoS that can cripple your systems and network.

What can you do?

  • Block Incoming traffic to port UDP 1900.


  • Search for destination of UDP port 1900 traffic. Should come from several host to single destination and be continuous.


  • May vary depending on the attack vector.

  • Sometimes traffic can be directed from port 1900 to 7 port (echo).


  • Apply automation to block IP's that generate this traffic.

bottom of page