Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Attackers increasingly abuse insecure routers and other home devices for DDoS attacks

Lucian Constantin | Aug. 19, 2015
New report shows that the number of attacks is on the rise.

Attackers are taking advantage of home routers and other devices that respond to UPnP (Universal Plug and Play) requests over the Internet in order to amplify distributed denial-of-service attacks.

A report released Tuesday by cloud services provider Akamai Technologies shows that the number of DDoS attacks is on the rise. During the second quarter of 2015 it increased by 7 percent compared to the previous three months and by 132 percent compared to the same period last year, the company's data revealed.

Overall, attackers launched less powerful attacks, but their duration was longer. Even so, the company saw 12 attacks that exceeded 100Gbps during the second quarter and five that peaked at more than 50 million packets per second.

Very few organizations have the infrastructure necessary to deal with such attacks on their own. The largest one recorded during the second quarter across Akamai's Prolexic Routed network peaked at 214Mpps and was capable of disrupting high-end routers used by ISPs, the company said.

SYN floods and Simple Service Discovery Protocol (SSDP) reflection were the most popular DDoS vectors used, accounting for 16 percent and 15.8 percent of attacks respectively.

DDoS reflection is a technique where attackers send requests with a spoofed source IP (Internet Protocol) address to third-party computers, causing them to send responses to that address instead of the original sender. The spoofed IP address belongs to the intended victim.

If the original packets are smaller than the generated responses, the technique also has an amplification effect because it allows attackers to generate more traffic than their available bandwidth would normally allow, by reflecting it through other computers.

The amplification factor depends on the protocol used. Vulnerable Domain Name System (DNS) and Network Time Protocol (NTP) servers have repeatedly been abused in recent years to generate large DDoS attacks.

Attackers started using SSDP for DDoS reflection and amplification in the last quarter of 2014 and has since become one of their favorite techniques. Even though the protocol has a lower amplification factor than DNS or NTP, it has one major benefit: it's used by millions of vulnerable devices spread around the world that are unlikely to be patched.

SSDP is part of the Universal Plug and Play (UPnP) set of networking protocols that allows devices to discover each other and establish functional services without manual configuration.

The protocol is intended to be used inside small home and business networks, but there's a very large number of routers and other devices that are configured to respond to SSDP queries over the Internet, making them potential DDoS reflectors.

According to the Shadowserver Foundation, a volunteer organization that promotes Internet security, there are currently about 12 million IP addresses on the Internet that have an open SSDP service.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.