Reflection DDoS Attacks Using Millions of UPnP Devices on the Rise
After successful in launching reflection and amplification Distributed Denial-of-Service (DDoS) attacks by abusing various protocols such as DNS, NTP and SMTP, hackers are now abusing Simple Service Discovery Protocol (SSDP) – part of the UPnP protocol standard – to target home and office devices, researchers warned.

SSDP is a network protocol based on the Internet Protocol Suite that comes enabled on millions of networked devices, such as computers, printers, Internet gateways, Router / Wi-Fi access points, mobile devices, webcams, smart TVs and gaming consoles, to discover each other and automatically establish working configurations that enable data sharing, media streaming, media playback control and other services.

Prolexic Security Engineering & Response Team (PLXsert) at Akamai Technologies have issued a warning that the devices use in residential or small office environments are being co-opted into reflection and amplification distributed denial-of-service (DDoS) attacks since July that abuse communications protocols enabled on UPnP devices.
"The rise of reflection attacks involving UPnP devices in an example of how fluid and dynamic the DDoS crime ecosystem can be in identifying, developing and incorporating new resources and attack vectors into its arsenal," the advisory states. "Further development and refinement of attack payloads and tools is likely in the near future."
The weakness in the Universal Plug-and-Play (UPnP) standard could allow an attacker to compromise millions of its consumer and business devices, which could be conscripted by them to launch an effective DDoS attack on a target.

Attackers have found that Simple Object Access Protocol (SOAP) – protocol used to exchange sensitive information in a decentralized, distributed environment – requests "can be crafted to elicit a response that reflects and amplifies a packet, which can be redirected towards a target."

This UPnP attack is useful for both reflection attacks, given the number of vulnerable devices, and amplification as researchers estimate that it can magnify attack traffic by a factor of 30, according to the advisory.

According to the security researchers, about 38 percent of the 11 million Internet-facing UPnP devices, i.e. over 4.1 million devices, in use are potentially vulnerable to being used in this type of reflection DDoS attack.
"The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch," said Akamai security business unit senior vice president and general manager Stuart Scholly. "Action from firmware, application and hardware vendors must occur in order to mitigate and manage this threat."
South Korea has the largest number of vulnerable devices, followed by the United States, Canada, and China, according to the advisory.

This isn't the first time when a security flaw in UPnP has allowed attackers to target home and business devices, back in January 2013, a flaw in UPnP exposed more than 50 millions computers, printers and storage drives to attack by hackers remotely.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.