Do you know what is a SSDP DDoS Attack?
Simple Service Discovery Protocol (SSDP) is a Distributed Denial of Service (DDoS) attack. A DDoS attack seeks to flood a particular network area with multiple zombie machines (hacker-controlled machines that act as a botnet). Goal interferes with the performance of a specific target.
The target, in this case, the SSDP, is commonly used in homes or private businesses. Its primary function is to find Universal Plug And Play (UPnP) devices.
How does an SSDP Attack work?
The SSDP protocol allows UPnP devices to broadcast their presence to other devices on a network. For example, when a UPnP printer is connecting to a standard network, after receiving an IP address, the printer can advertise its services to computers by sending a message to a unique IP address called a multicast address. Multicast address and notify all computers in the network about the new printer. When a laptop hears an acquisition message about a printer, it prints it to get a complete description of its services. It prints and responds directly to that computer with a full list of everything I can offer. SSDP attacks exploit that last request for assistance by asking the device to respond to the target person.
6 Steps of a Typical SSDP DDoS Attack
- Malefactor starts searching for Plug and Play devices, which can act as enhancements.
- The genius finds devices that can send answers to questions and make a list.
- The hacker creates a UDP packet with a false IP address for the target.
- An attacker uses a botnet to distribute packets with incorrect questions on all Plug and Play devices, requesting as much information as possible by setting special flags, such as SSDP: root device или SSDP: all.
- As a result, each device responds to the selected target with data that can be up to 30 times larger than the attacker’s query.
- Eventually, the victim receives a large amount of traffic from all devices and becomes frustrated, failing to process official traffic.
How to protect the system from an SSDP attack?
System administrators must block all incoming UDP routes from port number 1900 using a network firewall. Such measures are reasonable if the infected traffic volume is insufficient to congest the network infrastructure. Hackers often include SSDP and other types of attacks. Therefore, network protection requires complex measures.
How Lectron help to Protect from SSDP DDoSAttack?
Lectron removes SSDP attacks by stopping all attack routes before they reach their target; The UDP packets to Port 1900 not be sent to the original server, and the burden of receiving the first traffic falls on our network. We provide complete protection against SSDP and other layers three-fold attacks.
While the attack will target a single IP address, our Anycast network will extend all attack routes until it no longer interferes. Lectron can use our scale advantage to spread attack weight over multiple Data areas, balancing the load so that the service is never interrupted and the attack does not end the server infrastructure targeted. During the last six-month window, our DDoS “Gatebot” mitigation program received 6 329 simple attacks (that alone every 40 minutes), and the network successfully minimized everything.