SSDP DDoS Attacks On the Rise as NTP Amplification Fades

NTP reflection attacks may be on the wane when it comes to distributed denial of service (DDoS) campaigns, but they’ve been replaced by a surge in Simple Service Discovery Protocol (SSDP) attack, according to new data from Arbor Networks.

As always, the DDoS mitigation firm used its network of 300 service provider customers to collect anonymous traffic data in order to gain a comprehensive view of Q3 global attack trends through its ATLAS system.

It found that 4% of all attacks and 42% of all attacks greater than 10Gbps used SSDP reflection during the quarter.

SSDP attacks use source port 1900. Only three events were tracked in the whole of Q2 while that rose to a whopping 29,506 in the past three months.

In comparison, NTP reflection attacks continued to decline since their Q1 high – they comprised just 5% of overall attacks in Q3, down from 6% in Q2 and 14% in the first three months of the year.

However, they still comprised over half (54.5%) of attacks in excess of 100 Gbps.

While NTP attacks have been reduced thanks to an awareness raising campaign around patching vulnerable servers, the same might not be possible for SSDP, warned Arbor director of solutions architects, Darren Anstee. 

"Since a lot of the exploitable devices are home CPE devices it would be ‘possible' to upgrade them to newer firmware which wasn’t exploitable in this way from the internet, or in some cases change their configuration to stop this," he told Infosecurity.

"However I think this is pretty unlikely as many home users don’t upgrade the firmware on their internet gateways or know how to change the configuration. Also some devices will be older and newer firmware with the relevant changes may not be available." 

More generally, Arbor found that large volumetric attacks are still on the rise - there’ve been 133 over 100Gbps this year so far and Q3 saw 16.5% of all attacks above 1Gbps, up from 15.3% in Q2.

What’s Hot on Infosecurity Magazine?