The obscure Simple Service Discovery Protocol (SSDP) has become the latest obscure-but-occasionally-useful protocol to be harnessed by DDoS attackers, Arbor Networks' Q3 traffic report has noticed.
It could easily be assumed that one quarter's DDoS statistics are like any other and for a while that was true - the average size of attacks has increased over time. But in the last two years, odd innovations have started to appear, usually quite suddenly.
After a period when DNS, NTP and SNMP have been used to varying degrees of effectiveness to generate huge reflection attacks, the UPnP SSDP protocol has become the latest to attract the wrong sort of attention between July and September.
From almost nothing, SSDP reflection was behind 30,000 attacks in the quarter with one peaking at 124Mbps, the firm said. Forty-two percent of all attacks larger than 10Gbps abused this protocol during September.
"Everyone is aware of the huge storm of NTP reflection DDoS attacks in Q1 and early Q2, but although NTP reflection is still significant there isn't as much going on now as there was - unfortunately, it is looking more and more like SSDP will be the next protocol to be exploited in this way," said Arbor's director of solutions architects, Darren Anstee.
First used in the late 1990s in Windows 98, SSDP was a way for client software to work out which PCs, servers and services are around them using ports 1900 or 5000. The same SSDP service still exists for UPnP in Windows 8.1.
Which is not to say that NTP is off the menu - half of all very large 100Gbps and over attacks still used NTP as the method during the quarter, Arbor said.
The peak attack size was a humungous 254Gbps with a total of 133 attacks breaching the 100Gbps threshold. The top three targets were the US, France and Denmark.
"Organizations should take heed and ensure that their DDoS defense is multi-layered, and designed to deal with both attacks that can saturate their connectivity, and more stealthy, sophisticated application layer attacks," said Anstee.
Easier said than done.
This story, "DDoS attackers start using SSDP to fuel large reflection attacks" was originally published by Techworld.com.