Akamai Technologies, Inc., provider of cloud services for delivering, optimizing and securing online content and business applications, has released a new cybersecurity threat advisory. The advisory alerts the security community, device vendors, Internet service providers and enterprises to the risk of massive distributed denial of service (DDoS) attacks involving Universal Plug and Play (UPnP) devices.
PLXsert has observed the use of a new reflection and amplification DDoS attack that deliberately misuses communications protocols that come enabled on millions of home and office devices, including routers, media servers, web cams, smart TVs and printers.
The protocols allow devices to discover each other on a network, establish communication and coordinate activities. DDoS attackers have been abusing these protocols on Internet-exposed devices to launch attacks that generate floods of traffic and cause website and network outages at enterprise targets.
“Malicious actors are using this new attack vector to perform large-scale DDoS attacks. PLXsert began seeing attacks from UPnP devices in July, and they have become common,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai.
PLXsert found 4.1 million Internet-facing UPnP devices are potentially vulnerable to being employed in this type of reflection DDoS attack – about 38 percent of the 11 million devices in use around the world. PLXsert will share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts of this threat.
PLXsert replicated an attack of this type in a lab environment, demonstrating how attackers produce reflection and amplification DDoS attacks using UPnP-enabled devices. In the advisory, PLXsert shares its analysis and details, including:
- How the SSDP protocol and SOAP requests are used in reflection attacks
- Two example DDoS tools used to scan for vulnerable devices and launch attacks
- Details of an observed attack campaign
- Geographical distribution of UPnP devices involved in attacks
- Top 10 most common headers in UPnP response payloads
- Recommended system hardening and community action
- DDoS mitigation