Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how SSDP attacks are implemented. Many people may not know much about them. In order to let you know more, Xiaobian summarized the following contents for you. I hope you can gain something according to this article.

SSDP attack is a reflection-based distributed denial of service (DDoS) attack that uses the Universal Plug and Play (UPnP) network protocol to send amplified traffic to the target victim, taking the target victim's infrastructure and its Web resources offline.

SSDP attack theory?

In general, the SSDP protocol is used to allow UPnP devices to broadcast their presence to other devices on the network. For example, when a UPnP printer is connected to a typical network, upon receiving an IP address, the printer can advertise its services to computers on the network by sending messages to special IP addresses called multicast addresses. The multicast address then informs all computers on the network of the new printer.

Once the computer hears a discovery message about the printer, it sends a request to the printer for a complete description of its service. The printer will then respond directly to the computer with a complete list of everything it provides. SSDP attacks exploit the resulting service request by requiring the device to respond to the target victim.

6 Steps to SSDP DDoS Attack:

1. First, the attacker scans for plug-and-play devices that can be used as amplification factors.

2. As attackers discover connected devices, they will create a list of all responding devices.

3. The attacker creates UDP packets using the spoofed IP address of the target victim.

4. The attacker then uses the botnet to send a spoofed discovery packet to each plug-and-play device by setting certain flags (notably ssdp: rootdevice or ssdp: all) and requesting more data.

5. As a result, each device will send a reply to the targeted victim with up to 30 times the amount of data requested by the attacker.

6. The target server then receives a lot of traffic from all devices and is overwhelmed, potentially resulting in denial of service for legitimate traffic.

How can SSDP attacks be mitigated?

For network administrators, effective mitigation measures are to configure high-defense IP, hide the source IP-block UDP traffic. Since UDP requests sent by an attacker's botnet must have a source IP address spoofed to the victim's IP address, a key factor reducing the effectiveness of UDP-based amplification attacks is that Internet service providers (ISPs) reject spoofed IP addresses for any internal traffic. Therefore, I can use high IP defense as a pre-IP to resist NTP amplification attacks. Anti-DDoS Advanced (Anti-DDoS Advanced) is a paid value-added service launched for Internet servers that are unavailable due to large-traffic DDoS attacks. By configuring the anti-DDoS IP, the attack traffic is directed to the anti-DDoS IP to hide the source IP and protect the security and stability of the source site, so as to improve the user experience and the viscosity to content providers.

After reading the above, do you have any further understanding of how SSDP attacks are carried out? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.