Surging DDoS Amplifications Use Millions of Connected Devices

Device vendors, internet service providers, and enterprises are all at risk of massive distributed denial of service (DDoS) attacks involving the harnessing of millions of universal plug and play (UPnP) devices, according to Akamai’s Prolexic Security Engineering & Response Team (PLXsert).

The firm has issued an advisory detailing the use of a new reflection and amplification DDoS attack that deliberately misuses communications protocols that come enabled on millions of home and office devices, including routers, media servers, web cams, smart TVs and printers.

The protocols allow devices to discover each other on a network, establish communication and coordinate activities. DDoS attackers are now abusing these protocols on Internet-exposed devices to launch attacks that generate floods of traffic and cause website and network outages at enterprise targets.

"Malicious actors are using this new attack vector to perform large-scale DDoS attacks,” said Stuart Scholly, senior vice president and general manager for the security business unit at Akamai. “PLXsert began seeing attacks from UPnP devices in July, and they have become common.”

He added, “The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch. Action from firmware, application and hardware vendors must occur in order to mitigate and manage this threat.”

In fact, PLXsert found that 4.1 million Internet-facing UPnP devices are potentially vulnerable to being employed in this type of reflection DDoS attack – about 38% of the 11 million devices in use around the world. PLXsert will share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts of this threat.

PLXsert replicated an attack of this type in a lab environment, demonstrating how attackers produce reflection and amplification DDoS attacks using UPnP-enabled devices. Essentially, the Simple Object Access Protocol (SOAP) is used to deliver control messages to UPnP devices and pass information back and forth. Attackers have discovered that SOAP requests can be crafted to elicit a response that reflects and amplifies a packet, which can be redirected towards a target. By employing a great number of devices, attackers create large quantities of attack traffic that can be aimed at selected targets.

The mechanism is the latest in amplification techniques. Other traffic-boosting gambits include NTP reflection attacks, and, recently, a surge in Simple Service Discovery Protocol (SSDP) attacks, as we reported earlier in the month.

“These attacks are an example of how fluid and dynamic the DDoS crime ecosystem can be,” explained Scholly. “Malicious actors identify, develop and incorporate new resources and attack vectors into their arsenals. It’s predictable that they will develop, refine and monetize these UPnP attack payloads and tools in the near future.”

What’s Hot on Infosecurity Magazine?