SSDP Amplification Attack Explanation
Attacker scans network looking for plug-and-play devices that can be used to amplify the attack and creates a list of all the devices that respond.
Attacker designs an UDP packet spoffing the IP address of the victim. The objective is to exploit the final plug-and-play request for services by asking the devices to respond to the target.
After this, the attacker normally uses a botnet to send a spoofed discovery packet to the plug-and-play devices with a request for data as big a possible, this is done by setting certain flags.
This results on massive replies to the victim with an amount of data that is larger than the attacker request, making the target to be overwhelmed and probably resulting on a denial of service
How SSDP Amplification Attack works
IoA for SSDP Amplification Attack
Scan for UPnP Devices >Search for UDP port 1900 traffic.
UDP Packet spoofed ip address > Search for destination of UDP port 1900 traffic. Should come from several host to single destination, be continuous.
May vary depending on attack vector.
Sometimes traffic can be directed from port 1900 to 7 port (echo)
Why Should you worry?
DDoS that can cripple your systems and network.
What can you do?
Block Incoming traffic to port UDP 1900.
Search for destination of UDP port 1900 traffic. Should come from several host to single destination and be continuous.
May vary depending on the attack vector.
Sometimes traffic can be directed from port 1900 to 7 port (echo).
Apply automation to block IP's that generate this traffic.