Distributed denial-of-service (DDoS) attacks using the Simple Service Discovery Protocol (SSDP) continued to rise during the first quarter of 2015, according to a new report from Arbor Networks.
The largest new attack was 137.88 Gbps, the firm reported. Arbor Networks monitored 126,000 SSDP reflection attacks in the first quarter of the year compared to 83,000 in the fourth quarter of 2014. The numbers also represent a dramatic spike from Q1 2014, when Arbor Networks observed just three such attacks.
A report recently released by NSFOCUS linked the ever-growing Internet of Things (IoT) to an increase in SSDP reflection attacks during the second half of 2014. More than 30 percent of compromised SSDP attack devices were network-connected devices such as home routers and webcams, according to the firm.
“With the proliferation of the Internet of Things, any smart connected device with a public IP address and vulnerable operating system will increase the number of devices that could be used to launch SSDP–based reflection attacks,” according to the NSFOCUS report. “This particular type of DDoS attack was seen as the second most dominant threat, after NTP-based (Network Time Protocol) attacks, in 2H2014.”
Most of these IoT devices are very low cost, rarely if ever monitored and are often easily exploitable, said Gary Sockrider, solutions architect for Arbor Networks.
“As more of these devices come online they become ever more inviting targets,” he said. “Many of these devices have Universal Plug and Play (UPnP) enabled by default, which relies upon SSDP, and we’ve seen a sharp and continued rise in SSDP based attacks.”
Overall, the attacks monitored by Arbor Networks were shorter but packed a more powerful punch. Ninety percent of the attacks lasted less than an hour. The top overall attack targets were the U.S. (16 percent), China (16 percent) and France (8 percent). The top targets for reflection attacks of more than 10Gbps were France (19 percent), Denmark (10 percent) and the U.S. (8 percent). Roughly 43 percent of reflection attacks targeted port 80.
“Attacks that are significantly above the 200Gbps level can be extremely dangerous for network operators and can cause collateral damage across service provider, cloud hosting and enterprise networks,” said Darren Anstee, director, solutions architects, for Arbor Networks, in a statement. “DDoS attacks continue to evolve. Not only have volumetric attacks grown significantly in size and frequency over the past 18 months, application-layer attackers are also still pervasive. In order to deal with the full scope of the modern DDoS threat, we strongly recommend a multi-layered defense, one that integrates on-premise protection against application-layer attacks with cloud-based protection against higher magnitude volumetric attacks. Only then is an organization fully protected from DDoS attacks today.”