Tag Archives: Simple service discovery protocol attack

CyberSecurity: How can a wireless phone/Printer used for DDOS Attack?

Imagine this: You have purchased a new wireless headphone. Now, You can’t wait until you get home to try them out so you unbox them in the car and grab your smartphone. Almost immediately, your phone picks up your wireless headphones, recognizes them and pairs them to your device.

So, How does wireless headphone/Printer works?

Your wireless phone, Printer & other home devices are generally used SSDP Protocol. And, In a way, it is to avoid lengthy setup process & devices are able to communicate with each other as soon as they are plugged in. Brief information about SSDP.

Simple Service Discovery Protocol is a network protocol and the basis for Universal Plug and Play architecture. Quite simply, it means that devices can find and communicate with each other by plugging them in or turning them on, enabling them to ”play” with minimal configuration on the part of the owner. In this regard, it’s very much an invisible networking experience that allows devices to connect automatically

How does Hacker uses these wireless smart devices?

Under normal circumstances, the SSDP protocol is used to allow UPnP (Universal plug & play ) devices to broadcast their existence to other devices on the network. For example, when a UPnP printer is connected to a typical network, after it receives an IP address, the printer is able to advertise its services to computers on the network by sending a message to a special IP address called a multicast address.

The multicast address then tells all the computers on the network about the new printer. Once a computer hears the discovery message about the printer, it makes a request to the printer for a complete description of its services. The printer then responds directly to that computer with a complete list of everything it has to offer. An SSDP attack exploits that final request for services by asking the device to respond to the targeted victim.

Follow a few steps to know how DDOS Attack is performed?

  • First the attacker conducts a scan looking for plug-and-play devices like home camera, printers etc that can be utilized as amplification factors.
  • As the attacker discovers networked devices, they create a list of all the devices that respond.
  • The attacker creates a UDP packet with the spoofed IP address of the targeted victim.
  • The attacker then uses a botnet to send a spoofed discovery packet to each plug-and-play device with a request for as much data as possible by setting certain flags, specifically ssdp:rootdevice or ssdp:all.
  • As a result, each device will send a reply to the targeted victim with an amount of data up to about 30 times larger than the attacker’s request.
  • The target then receives a large volume of traffic from all the devices and becomes overwhelmed, potentially resulting in denial-of-service to legitimate traffic

How to mitigate SSDP DDOS Attacks?

For network administrators, a key mitigation is to block incoming UDP traffic on port 1900 at the firewall. Provided the volume of traffic isn’t enough to overwhelm the network infrastructure, filtering traffic from this port will likely be able to mitigate such an attack.

How to check whether you IP is being used for an attack or not?

Here is the open source tool to check where your device IP is being used for an attack or not. https://badupnp.benjojo.co.uk/