Instant Analysis of a DDoS Attack Using SSDP Protocol (Simple Service Discovery Protocol)
A Simple Service Discovery Protocol (SSDP) attack is a reflection-based distributed denial-of-service (DDoS) attack that can exploit Universal Plug and Play (UPnP) networking protocols to send a huge amount of traffic to a targeted victim, overpowering the target’s infrastructure and take their web resource offline.
How does an SSDP Protocol Attack Work?
The SSDP protocol is generally used to allow UPnP devices to broadcast their existence to other devices on the network. For instance, when a UPnP printer is linked to a network and it receives an IP address, the printer advertises its services to computers on the network by sending a message to a special IP address known as a multicast address. This multicast address is then responsible for telling all the computers on the network about the new printer. After receiving the discovery message, a computer requests the printer to get a complete list of its services. The printer then responds directly back to the computer with that list. An SSDP Protocol attack exploits that final request for services by directing the device to respond to the targeted victim.
Steps of a Typical SSDP DDoS Attack
Here’s what happens during a typical SSDP DDoS attack:
- The attacker performs a scan, looking for plug-and-play devices that can be used as amplification factors.
- As the attacker discovers networked devices, they develop a list of all the devices that respond.
- The attacker makes a UDP packet with the spoofed IP address of the target victim.
- The attacker uses a botnet to send a spoofed discovery packet to each plug-and-play device with a request for as much data as possible by setting specific flags, particularly ssdp:rootdevice or ssdp:all.
- Each device sends a reply to the targeted victim with data up to about 30 times larger than the attacker’s request.
- The target receives a huge volume of traffic from all the devices and becomes overwhelmed, possibly resulting in denial-of-service to legitimate traffic.
Prevent SSDP Protocol DDoS Attacks Using Comodo cWatch
Comodo cWatch is a Managed Security Service, ideal for websites and applications, that provides a Web Application Firewall (WAF) provisioned over a Secure Content Delivery Network (CDN). cWatch is fully managed by a Cyber Security Operation Center (CSOC) of always-available certified security analysts and is powered by a Security Information and Event Management (SIEM) system that can leverage data from more than 85 million endpoints to detect and mitigate threats even before they occur.
Comodo cWatch also provides malware detection scanning, preventive methods, and removal services to enable organizations to proactively protect their business and brand reputation from infections and attacks. cWatch Web is available with a WAF capable of eliminating application vulnerabilities and protecting web applications and websites against advanced attacks including but not limited to DDoS, Cross-Site Scripting, and SQL Injection. Combined with services like vulnerability scanning, malware scanning, and automatic virtual patching and hardening engines, the Comodo WAF provides robust security that is completely managed for customers as part of the Comodo cWatch Web solution.
Key Features Offered by cWatch:
. Secure Content Delivery Network (CDN): A global system of distributed servers to enhance the performance of web applications and websites
. Malware Monitoring and Remediation: Detects malware, provides the methods and tools to remove it, and prevents future malware attacks
. Cyber Security Operations Center (CSOC): A team of always-on certified cybersecurity professionals providing 24x7x365 surveillance and remediation services
. Web Application Firewall (WAF): Powerful, real-time edge protection for websites and web applications providing advanced security, filtering, and intrusion protection
. Security Information and Event Management (SIEM): Advanced intelligence capable of leveraging current events and data from 85M+ endpoints and 100M+ domains
. PCI Scanning: Enables service providers and merchants to stay in compliance with PCI DSS