Simple Service Discovery Protocol (SSDP) is a network-based protocol which is used for scanning or searching for available network devices. SSDP is based on the discovery of the Universal Plug and play (UPnP) devices that facilitates easy communication between computer systems and network-based devices using 1900/UDP source port. The universal plug and play (UPnP) devices include routers, printers, media servers, IP cameras, smart TVs, home automation systems, network storage servers, etc.

A Simple Service Discovery Protocol (SSDP) DDoS attack is a reflection-based DDoS attack where the attacker first exploits vulnerable universal plug and play (UPnP) devices, spoofs their IP addresses and form a botnet. The attacker then uses this botnet to flood a target’s network infrastructure and bring down their web resources.

How does SSDP DDoS attack work?

1. To accomplish a Ssdp Ddos attack, firstly, an attacker scans for any available universal plug and play (UPnP) devices that can be exploited.
2. Then the available universal plug and play (UPnP) devices that respond to the attacker’s request are listed.
3. The attacker then creates user datagram protocol (UDP) packets which contain the spoofed IP address of the victim.
4. Then the spoofed discovery packet with M-SEARCH request is sent to each universal plug and play (UPnP) devices through a botnet. The request is sent with an aim to fetch as much data as possible as a response, by setting certain flags such as ssdp:rootdevice or ssdp:all (Value of search target).
5. As the result, each universal plug and play (UPnP) device sends an amount of data up to about 30 times amplified than the attacker’s request to the target victim.
6. This leads to denial of service to the legitimate traffic as the target gets flooded with a large amount of traffic received from all the universal plug and play (UPnP) devices.

How can SSDP DDoS attack be mitigated?

The following ways can be implemented to mitigate SSDP DDoS attacks –

1. To mitigate SSDP DDoS attacks, behavioral DoS (BDoS) mitigation can be installed, which analyzes the traffic behavior using machine learning and data analysis. If an abnormal rate of traffic is observed then the BDoS protection will automatically identify the suspicious traffic and create real-time signatures. Then with the help of the real-time signatures created, the incoming UDP traffic is analyzed and mitigated.
2. The incoming UDP traffic can be filtered or directly blocked on port 1900 with the help of a network firewall.
3. DDoS mitigation solutions can be adopted to monitor and mitigate various types of DDoS attacks.
4. Another way to mitigate SSDP DDoS attack is Connection Limit Protection which limits all the UDP source port 1900 connection rates. This prevents a high rate of abnormal SSDP traffic.