DDoS attackers start using SSDP to fuel large reflection attacks

Arbor spots 30,000 attacks using protocol

The obscure Simple Service Discovery Protocol (SSDP) has become the latest obscure-but-occasionally-useful protocol to be harnessed by DDoS attackers, Arbor Networks' Q3 traffic report has noticed.

It could easily be assumed that one quarter's DDoS statistics are like any other and for a while that was true - the average size of attacks has increased over time. But in the last two years, odd innovations have started to appear, usually quite suddenly.

After a period when DNS, NTP and SNMP have been used to varying degrees of effectiveness to generate huge reflection attacks, the UPnP SSDP protocol has become the latest to attract the wrong sort of attention between July and September.

From almost nothing, SSDP reflection was behind 30,000 attacks in the quarter with one peaking at 124Mbps, the firm said. Forty-two percent of all attacks larger than 10Gbps abused this protocol during September.

"Everyone is aware of the huge storm of NTP reflection DDoS attacks in Q1 and early Q2, but although NTP reflection is still significant there isn't as much going on now as there was - unfortunately, it is looking more and more like SSDP will be the next protocol to be exploited in this way," said Arbor's director of solutions architects, Darren Anstee.

First used in the late 1990s in Windows 98, SSDP was a way for client software to work out which PCs, servers and services are around them using ports 1900 or 5000. The same SSDP service still exists for UPnP in Windows 8.1.

Which is not to say that NTP is off the menu - half of all very large 100Gbps and over attacks still used NTP as the method during the quarter, Arbor said.

The peak attack size was a humungous 254Gbps with a total of 133 attacks breaching the 100Gbps threshold. The top three targets were the US, France and Denmark.

"Organisations should take heed and ensure that their DDoS defense is multi-layered, and designed to deal with both attacks that can saturate their connectivity, and more stealthy, sophisticated application layer attacks," said Anstee.

Easier said than done.

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networkssecurity

More about Arbor NetworksSNMP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place