SSDP Distributed Reflection Denial of Service (DrDoS) Attacks may be biggest threat – Traffic Sample & Snort Rule

By | August 23, 2015

SSDP Distributed Reflection Denial of Service attacks are on the rise and may be the biggest threat right now. SSDP attacks do not have the biggest amplification number but they may have the most vulnerable systems to abuse in a reflection attack. Open source reports indicate that there are over 5 million vulnerable systems worldwide as of August 2015. One of our dedicated servers was attacked by this DoSnet earlier this morning. We detected over 155,000 unique IP addresses involved in the attack and bandwidth spikes from 100MB/sec to 500MB/sec. The actual statistics are not confirmable as there was massive packet loss. So what does this attack look like? Here is a few packets with source IP addresses stripped out as to not help attackers to add to their DrDoSnets.

2015-08-22 02:09:11 IP 1.1.1.1.1900 > 192.168.1.108.80: UDP, length 259

….E…..@.8….3….w..l.P….HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

2015-08-22 02:09:11 IP 1.1.1.1.1900 > 192.168.1.108.80: UDP, length 268

….E..(..@.8….3….w..l.P..DSHTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

….E…..@.6….v.S..w..l.P…CHTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100::upnp:rootdevice

….E..g..@.8.

..3….w..l.P.S..HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::urn:schemas-upnp-org:device:InternetGatewayDevice:1

….E..(..@.6….v.S..w..l.P…

HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

Cache-Control:max-age=1800

ST:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

USN:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

….E(.!w.@.:…..M…w..l.P.^M+UHTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.254:5431/dyndev/uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0::upnp:rootdevice

….E(.*w.@.:…..M…w..l.P…=HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.254:5431/dyndev/uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

Cache-Control:max-age=1800

ST:uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

USN:uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

….E..g..@.6….v.S..w..l.P.S{.HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1

USN:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100::urn:schemas-upnp-org:device:InternetGatewayDevice:1

….E…w.@.7..Dl(….w..l.P….HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E..(..@.8.. .3….w..l.P….HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:uuid:0000b018-d0a0-00b0-f0a0-486801b8f8d8

USN:uuid:0000b018-d0a0-00b0-f0a0-486801b8f8d8

….E.._..@.6….v.S..w..l.P.K.%HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:service:Layer3Forwarding:1

USN:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100::urn:schemas-upnp-org:service:Layer3Forwarding:1

….E…`.@.8..F.7H…w..l.P..MZHTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E(.iw.@.:…..M…w..l.P.U#.HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.254:5431/dyndev/uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1

USN:uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0::urn:schemas-upnp-org:device:InternetGatewayDevice:1

….E… .@.9.:.l*} ..w..l.P..Z.HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E…..@.8…l^M.0..w..l.P… HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E..(..@.6….v.S..w..l.P… HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4100

Cache-Control:max-age=1800

ST:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4101

USN:uuid:cc5d4e7c-2f41-412f-7c4e-5dcc5d7c4101

….E…Bk@.8.i.d 5…w..l.P….HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E..O..@.8.

..3….w..l.P.; *HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:device:WANDevice:1

USN:uuid:0000b018-d0a0-00b0-f0a0-486801b8f8d8::urn:schemas-upnp-org:device:WANDevice:1

….E..gw.@.7…l(….w..l.P.S

3HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::urn:schemas-upnp-org:device:InternetGatewayDevice:1

….E….[@.7.qrl(….w..l.P..+^HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

….E(.*w.@.:…..M…w..l.P…gHTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.254:5431/dyndev/uuid:0000e0f8-20a0-00e0-80a0-48b8005808e0

Cache-Control:max-age=1800

ST:uuid:0000e0f8-20a0-00e0-80a0-48b801582808

USN:uuid:0000e0f8-20a0-00e0-80a0-48b801582808

….E..( .@.9.:.l*} ..w..l.P…8HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

….E…’.@.8….<….w..l.P…~HTTP/1.1 200 OK

Server: Custom/1.0 UPnP/1.0 Proc/Ver

EXT:

Location: hxxp://192.168.1.1:5431/dyndev/uuid:0000b018-d0a0-00b0-f0a0-486800b808b0

Cache-Control:max-age=1800

ST:upnp:rootdevice

USN:uuid:0000b018-d0a0-00b0-f0a0-486800b808b0::upnp:rootdevice

You can see that the source port for the attack is 1900, make sure your systems have that port blocked by your ACL. If you want to detect this type of attack on your network it is very simple writing a Snort rule, here is a sample SSDP DrDoS attack snort rule:

Alert udp any 1900 -> $HOME_NET any (msg:”Possible SSDP DrDoS attack”; content:”Location:http:”; content:”USN:uuid:”; reference:url,www.computersecurity.org; sid:1234; rev:1;)

That is overkill but should work just fine; you could add a threshold modifier or an offset, depth and distance but a few content matches should do the trick.

Share Button

One thought on “SSDP Distributed Reflection Denial of Service (DrDoS) Attacks may be biggest threat – Traffic Sample & Snort Rule

  1. Pingback: Joseph de Saram#Rhodium

Leave a Reply

Your email address will not be published. Required fields are marked *