Attackers increasingly abuse insecure routers and other home devices for DDoS attacks

18.08.2015
Attackers are taking advantage of home routers and other devices that respond to UPnP (Universal Plug and Play) requests over the Internet in order to amplify distributed denial-of-service attacks.

A report released Tuesday by cloud services provider Akamai Technologies shows that the number of DDoS attacks is on the rise. During the second quarter of 2015 it increased by 7 percent compared to the previous three months and by 132 percent compared to the same period last year, the company's data revealed.

Overall, attackers launched less powerful attacks, but their duration was longer. Even so, the company saw 12 attacks that exceeded 100Gbps during the second quarter and five that peaked at more than 50 million packets per second.

Very few organizations have the infrastructure necessary to deal with such attacks on their own. The largest one recorded during the second quarter across Akamai's Prolexic Routed network peaked at 214Mpps and was capable of disrupting high-end routers used by ISPs, the company said.

SYN floods and Simple Service Discovery Protocol (SSDP) reflection were the most popular DDoS vectors used, accounting for 16 percent and 15.8 percent of attacks respectively.

DDoS reflection is a technique where attackers send requests with a spoofed source IP (Internet Protocol) address to third-party computers, causing them to send responses to that address instead of the original sender. The spoofed IP address belongs to the intended victim.

If the original packets are smaller than the generated responses, the technique also has an amplification effect because it allows attackers to generate more traffic than their available bandwidth would normally allow, by reflecting it through other computers.

The amplification factor depends on the protocol used. Vulnerable Domain Name System (DNS) and Network Time Protocol (NTP) servers have repeatedly been abused in recent years to generate large DDoS attacks.

Attackers started using SSDP for DDoS reflection and amplification in the last quarter of 2014 and has since become one of their favorite techniques. Even though the protocol has a lower amplification factor than DNS or NTP, it has one major benefit: it's used by millions of vulnerable devices spread around the world that are unlikely to be patched.

SSDP is part of the Universal Plug and Play (UPnP) set of networking protocols that allows devices to discover each other and establish functional services without manual configuration.

The protocol is intended to be used inside small home and business networks, but there's a very large number of routers and other devices that are configured to respond to SSDP queries over the Internet, making them potential DDoS reflectors.

According to the Shadowserver Foundation, a volunteer organization that promotes Internet security, there are currently about 12 million IP addresses on the Internet that have an open SSDP service.

The SSDP reflection vector has not been subject to the same type of cleanup efforts as NTP and DNS because most of the exploited devices are consumer ones and not servers, Akamai's researchers said in the report.

Their owners are typically home users who are unlikely to realize that their devices are participating in attacks, they said. "Even if they do notice slowness in their networks, they may not have the expertise to troubleshoot, mitigate or detect the cause."

Lucian Constantin