Four Million Plug and Play Devices Become Potential Tools in DDoS Attacks

Millions of home and office devices, including routers, media servers, webcams, smart TVs and printers are vulnerable and can be used to launch large-scale denial-of-service attacks, according to an advisory by cloud provider Akamai.

“The rise of reflection attacks involving UPnP devices is an example of how fluid and dynamic the DDoS crime ecosystem can be”, Akamai says.

Since July 2014, Akamai`s Prolexic Security Engineering & Response Team (PLXsert) found 4.1 million Internet-connected Universal Plug and Play (UPnP) devices that are potentially vulnerable to being used in reflection and amplification DDoS attacks through the abuse of the Simple Service Discovery Protocol (SSDP) – that is about 38 per cent of the 11 million devices in use worldwide.

The SSDP protocol is part of the UPnP standard and comes enabled in millions of devices, allowing them to find and communicate with each other on a network for data sharing, entertainment and other functions. To send messages to and from UPnP devices, networks rely on the Simple Object Access Protocol (SOAP).

To launch an UPnP attack, attackers misuse the SSDP and SOAP protocols to send spoofed control packets and artificially amplify traffic, which can be redirected to disrupt the services of a specific target, such as a website. By using thousands of devices, attackers can flood a network with data, Akamai said.

Akamai identified two scripts used by attackers – one used to find UPnP-enabled devices and the other to perform the actual reflection attack.

Attacks have been aimed at a variety of industries, including entertainment, payment processing, education, and media and hosting, according to the report. South Korea owns the largest number of vulnerable UnPn devices, followed by the US, Canada, China, Argentina and Japan.

Mitigation is complicated because of to the large numbers of devices and geographical spread. The company recommends that vendors and ISPs take better patch and management actions to make sure misconfigured devices don`t end up in users` homes. They also advise blocking source port 1900 to prevent unnecessary bandwidth loads as a preventative measure.

“It is necessary, however, to address the problem from the root causes: vulnerabilities inherent in the UPnP protocol and the difficulty of upgrading, patching and managing these devices once they are deployed and facing the Internet”, the company concluded. “Action from firmware, application and hardware vendors must occur in order to mitigate and manage this threat”.