What is an SSDP DDoS Attack?

A Simple Service Discovery Protocol (SSDP) attack is a type of Distributed Denial of Service (DDoS) attack. DDoS attacks seek to flood a specific location in a network via multiple zombie machines (machines controlled by the hacker and functioning as a botnet). The goal is disrupting activity of a specific target.
The target, in this case, the SSDP, is used typically in private homes or businesses. Its primary function is to discover Universal Plug And Play (UPnP) devices.

Envision this scenario. You are playing an online competitive FPS on a Friday night. You happen to be demolishing the competition and ranking high on the leaderboards.

Your competition isn’t too happy about this, and threatens you to stop competing before they retaliate. Thinking nothing of it, you continue your total online gaming domination.

Suddenly you hear devices like your printer and tablet making strange noises. They are activating on their own. Next thing you know, you are knocked offline and the game is ruined.
What just happened?
An SSDP DDoS attack.

How does an SSDP Attack work?

In the case of an SSDP attack, also known as an SSDP reflection attack with amplification, a specific process is leveraged against the user. When connecting to uPnP devices, there is a vulnerability in the end-user query that can be exploited by an attacker. The end-user query sends replies from UPnP devices to the victim’s address. An SSDP attack seeks to flood that process, overloading the protocol and rendering it inactive.

6 Steps of a Typical SSDP DDoS Attack

  • The threat actor (aka hacker) seeks out devices on the local network. They are specifically trying to leverage their UPnP abilities against the victim’s Local Area Network (LAN).
  • Once the set of UPnP devices have been discovered, the threat actor makes a hard copy list of these devices. Part of exploiting any network is logging your activity as you go.
  • The threat actor crafts UDP packets that contain a spoofed IP address. UDP protocol allows this attack to function easily as there is no need for a three-way handshake (Syn-Syn/Ack-Ack) like with the TCP/IP protocol. UDP allows a continuous stream of packets without any further steps.
  • With the aforementioned botnet of zombie machines, the threat actor then targets the UPnP devices. The crafted packets are sent from the zombie machines to the UPnP devices. These packets are made to seek out as much data as possible. This is accomplished by using commands like ssdp:rootdevice or ssdp:all.
  • Based on the commands in the UDP packets, the UPnP devices in the LAN then flood the victim's SSDP. Roughly 30 times more data than is usually sent, because of the commands, then seeks out the end-target.

How is an SSDP attack mitigated?

In order to mitigate an SSDP DDoS attack, it is vital that the machines used for amplification are not allowed to flood a victim's machine. The only way this can occur is redirecting the requests targeted at port 1900, this is the port that is vulnerable in these attacks. A firewall can block this, but a VPN can also be a huge help here.

How does PureVPN mitigate SSDP attacks?

The only way for an SSDP protocol amplification attack to occur is if the threat actor knows your personal IP address. PureVPN prevents this by masking your IP address to the outside world. With our vast selection of servers and a strong encrypted connection (AES 256 bit); you can be certain that anyone seeking to harm you in an SSDP DDoS will be stopped.

FAQs(Frequently Asked Questions)

What is SSDP used for?
Simple Service Discovery Protocol is a protocol used by advertising services on a Local Area Network (TCP/IP connection) and discovering them. The connection between these services (i.e. UPnP devices), however, is conducted in the less-secure UDP protocol.

What is SSDP uPnP?
Universal Plug And Play devices connect to a device via the Simple Service Discovery Protocol. Such examples of UPnP devices include personal computers, printers, mobile devices, and more.

Learn more about DDoS