Blocking SSDP Protocols by default

updp
firewall
security

#1

I woke up to find an abuse letter in a new seedbox I hadn’t even begun using regarding the fact SSDP was enabled on my server

here is the letter (in english as this was the German government sending me this )

Dear Sir or Madam,

the Simple Service Discovery Protocol (SSDP) is a network protocol
for advertisement and discovery of network services and presence
information. SSDP is the basis of the discovery protocol of
Universal Plug and Play (UPnP). SSDP usually uses port 1900/udp.

In the past months, systems responding to SSDP requests from the
Internet have been increasingly abused for participating in
DDoS reflection/amplification attacks.

The Shadowserver ‘Open SSDP Scanning Project’ identifies systems
responding to SSDP requests from the Internet which can be abused
for DDoS reflection/amplification attacks if no countermeasures
have been implemented.

Shadowserver provides CERT-Bund with the test results for IP addresses
hosted in Germany for notifying the owners of the affected systems.
Futher information on the tests run by Shadowserver is available
at [2].

Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the system was tested
and responded to SSDP requests from the Internet.

We would like to ask you to check this issue and take appropriate
steps to secure the SSDP services on the affected systems or
notify your customers accordingly.

If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.

References:

[1] Wikipedia: Simple Service Discovery Protocol
http://de.wikipedia.org/wiki/Simple_Service_Discovery_Protocol
[2] Shadowserver: Open SSDP Scanning Project
https://ssdpscan.shadowserver.org/
[3] Arbor Networks: Zunahme von DDoS-Angriffen mittels SSDP
<http://www.arbornetworks.com/news-and-events/press-releases/
recent-press-releases/5283-arbor-networks-atlas-data-shows-
reflection-ddos-attacks-continue-to-be-significant-in-q3-2014>
[4] Sucuri: Quick Analysis of a DDoS Attack Using SSDP
<http://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-
using-ssdp.html>
[5] US-CERT: UDP-based Amplification Attacks
https://www.us-cert.gov/ncas/alerts/TA14-017A

This message is digitally signed using PGP.
Details on the signature key used are available on our website at:
https://www.cert-bund.de/reports-sig


#2

Thanks for the report on this. It is being added to the next revision that is due by the end of today or early tomorrow.

If anyone is curious as to what exactly SSDP is, I can affirm that this is a mostly unused port and is only, in some commercial software, used for network discovery on dedicated servers. As such, SSDP can be used in regards to reflection DDoS attacks. These attacks will sometimes not be in the form of packets sent; rather replies made from within the server… essentially, it allows an attacker to get replies out on port number 1900 to a destination ip of their choosing.

There are numerous ways around these attacks, of which is:

iptables -I INPUT 1 -p udp -m udp --dport 1900 -j DROP

The above can be added to existing installs on dedicated servers. This is a quick fix to drop the port all together. If you are using software on top of the QuickBox script that requires this port to be open… I would drop that too.

Either the end of today - or tomorrow there is going to be a release in the script that addresses this issue. It will be implementing CSF or Config Server Firewall to afford a much more robust and easier to adapt/adjust solution for QuickBox. Users with QuickBox already installed will have a separate patch that addresses this and installs CSF for you with minimal input required.

If you would like additional reading on the matter of SSDP, check out this Wiki entry.


#3

Only bad thing with the iptables command is it doesn’t work to prevent my server from being triggered again :stuck_out_tongue:


#4

This is actually one reason why the new v2.2.0 of the script implements CSF. If port 1900 is not expressly permitted it is flagged, rejected and a notice sent to you informing you the port has been knocked.

There is now a function within the QuickBox installer that blocks port 1900 by default.


#5