SSDP Attacks

SSDP Attacks

Many devices today use Universal Plug and Play (UPnP) in order to communicate. They use the Simple Service Discovery Protocol (SSDP) to tell other devices that they exist on the network. For example, a UPnP printer would broadcast all services it has to offer to all devices on the network. Attackers can spoof traffic to take advantage of these plug-and-play devices in an amplification attack. The attackers messages these UPnP devices using your IP address, and the devices reply with a message that is much larger than the original message. This amplifies the attack and floods your server with useless SSDP packets.

Sample Pcap

Follow the tcpdump guide to record a pcap during an attack to analyze it.

16:47:17.409684 192.168.0.1 > 198.251.81.119: icmp: 192.168.0.2 udp port 1900 unreachable [icmp cksum ok] [tos 0xc0] (ttl 55, id 51372, len 146)
E.......7....8LH..Qw........E..v......!...Qw.8LH...l.b..M-SEARCH * HTTP/1.1
Host:239.255.255.250:1900
ST:ssdp:all
Man:"ssdp:discover"
MX:3

In the above, we see the source IP (192.168.0.1) is sending a UDP packet to 198.251.81.119 port 1900 (our server). The content shows that it is an SSDP packet.

Here are some other packets:

16:47:17.411700 192.168.0.1 > 198.251.81.119: icmp: 172.16.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 53, id 60583, len 56)
E..8....5..o..	n..Qw..;.....E..vtW....vq..Qw..	n...l.b..
16:47:17.411751 192.168.0.1 > 198.251.81.119: icmp: 10.0.0.1 udp port 1900 unreachable [icmp cksum ok] (ttl 54, id 58810, len 56)
E..8....6.....3...Qw..'.....E..v*.........Qw..3....l.b..
16:47:17.411888 192.168.0.1.46465 > 198.251.81.119.16546: [udp sum ok] udp 498 (DF) (ttl 58, id 0, len 526)
E.....@.:..|H.....Qw..@.....HTTP/1.1 200 OK
CACHE-CONTROL: max-age=1800
DATE: Sat, 25 Jul 2020 00:47:17 GMT
EXT:
LOCATION: http://192.168.1.1:49152/IGDdevicedesc.xml
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
01-NLS: d78a3592-1dd1-11b2-ae53-a94a2ae2af72
SERVER: Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.17
X-User-Agent: redsonic
ST: urn:schemas-upnp-org:service:LANHostConfigManagement:1
USN: uuid:ebf5a0a0-1dd1-11b2-a93f-94103e83c76b::urn:schemas-upnp-org:service:LANHostConfigManagement:1

This packet is coming from a Linux UPnP device. It could be a printer, a phone, a router...

How to Block

First, you want to make sure that you have no exposed public IPs that are not DDoS filtered. If you are BuyVM, check the web panel to see if any non-filtered IPs are exposed. These should be disabled. You will also want to remove them from any publicly visible DNS records in /var/nsd/zones/master/.

Using the packet filter firewall, you will want to block UDP packets on port 1900. You could put these two rules at the beginning of /etc/pf.conf:

ext_ip="192.168.0.1"
block drop quick proto udp from any to $ext_ip port 1900

A better solution is to block all udp packets except for a few ports that you whitelist:

ext_ip="192.168.0.1"
pass in quick proto udp to $ext_ip port {domain ntp}
block drop quick proto udp to $ext_ip

This would whitelist DNS and NTP packets but drop all other UDP packets.

See Also

DDoS Defense