Menu
I'm implementing a device that ought to respond to SSDP M-SEARCH queries.
I'm a device vendor and I don't have control where these devices will be deployed.
There's a known DDoS attack that uses SSDP search amplification, that is attacker sends search requests from a fake address and poorly coded SSDP server responds to that fake address. Fake address ends up hammered.
What should I do to prevent my device from being used in such an attack?
Wrt 1. TTL ought to configurable per SSDP spec; Even if it's quite low responses still leak out of local network. If there's a bridged VPN on the network, responses leak out quite far.
Wrt 2. I can imagine corporate networks where multiple subnets are reachable (e.g. one subnet for wireless clients, another for desktops, yet another for servers) and thus my device must be searchable across subnets (though subject to TTL per spec).
Wrt 3. Configuration and maintenance hassle.
Wrt 4. Is there a reliable way to do that? What about IPv6? What about networks that have e.g. /28 slice of global addresses?
Wrt 5. A trickle from a myriad devices still amounts to a torrent...
Ref: https://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-using-ssdp.html
209
How is a SSDP Attack mitigated? For network administrators, a key mitigation is to block incoming UDP traffic on port 1900 at the firewall. Provided the volume of traffic isn't enough to overwhelm the network infrastructure, filtering traffic from this port will likely be able to mitigate such an attack.
A reflection amplification attack is a technique that allows attackers to both magnify the amount of malicious traffic they can generate and obscure the sources of the attack traffic. This type of distributed denial-of-service (DDoS) attack overwhelms the target, causing disruption or outage of systems and services.
An amplification attack is a two-part DDoS attack that generally uses the User Datagram Protocol (UDP). An attacker first sends a large number of small requests to unsuspecting third-party servers on the internet.
Source IP Verification Because the DNS queries being sent by the attacker-controlled clients must have a source address spoofed to appear as the victim's system, the first step to reducing the effectiveness of DNS amplification is for Internet Service Providers to reject any DNS traffic with spoofed addresses.
Another option would be not to reply to unicast requests at all. I cannot give you a source explicitly stating that this is allowed, though. One of the drafts certainly reads as if it was, and it'd make sense if it was, too: It's a discovery protocol, after all.
Since multicast is not routed by default in any sane default configuration and 239.0.0.0/8 is organization-local, you can safely assume that requests arriving on the multicast address are genuine. (Unless of course you have an attacker in your own network, but that's a different problem.)
On Linux, incoming UDP packet can be inspected using IP_PKTINFO socket option to validate that it was in fact sent to a multicast address:
https://stackoverflow.com/a/5309155/705086 http://www.linuxquestions.org/questions/programming-9/how-to-get-destination-address-of-udp-packet-600103/
89
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
