Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... •...
Transcript of Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... •...
![Page 1: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/1.jpg)
Risk Mitigation for Open SSDP
Copyright©2016,CyberGreen Sept2016
![Page 2: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/2.jpg)
Agenda
1. Introduction2. AboutSSDP3. MitigationrecommendationsforopenSSDP4. Makingthecaseforimplementingmitigations
2 Copyright©2016,CyberGreen Sept2016
![Page 3: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/3.jpg)
Introduction
WhencyberinfrastructureisinsecurethereisarisktotheglobalInternetcommunitySimpleServiceDiscoveryProtocol(SSDP)isthestandardsearchprotocolforUniversalPlugandPlay(UPnP)
3 Copyright©2016,CyberGreen Sept2016
![Page 4: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/4.jpg)
Introduction
UPnPispervasive- itisenabledbydefaultonhomegateways,networkprinters,webcams,networkstorageservers,and“smarthome”devicessuchasthermostats,automatedassistantsandwirelesshomesecuritysystemsthatarepartoftheInternetofThings(IoT)
4 Copyright©2016,CyberGreen Sept2016
![Page 5: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/5.jpg)
About CyberGreen
• Globalnon-profitandcollaborativeorganizationfocusedonhelpingimprovethehealthofglobalCyberEcosystem
• WorkingtoprovidereliablemetricsandmitigationbestpracticeinformationtoCyberSecurityIncidentResponseTeams(CSIRTs),networkoperators,andpolicymakers
• Mission:helpCSIRTsandothersfocusremediationeffortsonthemostimportantriskso Helpunderstandwhereimprovementscanbemadeo Howwecanachieveamoresustainable,secure,and
resilientcyberecosystem
5 Copyright©2016,CyberGreen Sept2016
![Page 6: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/6.jpg)
Copyright (c) 2016, CyberGreen
Thesematerialsaredistributedunderthefollowinglicense:Permissiontouse,copy,modify,and/ordistributethesematerialsforanypurposewithorwithoutfeeisherebygranted,providedthattheabovecopyrightnoticeandthispermissionnoticeappearinallcopies.THEMATERIALISPROVIDED"ASIS"ANDTHEAUTHORDISCLAIMSALLWARRANTIESWITHREGARDTOTHISMATERIALINCLUDINGALLIMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESS.INNOEVENTSHALLTHEAUTHORBELIABLEFORANYSPECIAL,DIRECT,INDIRECT,ORCONSEQUENTIALDAMAGESORANYDAMAGESWHATSOEVERRESULTINGFROMLOSSOFUSE,DATAORPROFITS,WHETHERINANACTIONOFCONTRACT,NEGLIGENCEOROTHERTORTIOUSACTION,ARISINGOUTOFORINCONNECTIONWITHTHEUSEORPERFORMANCEOFTHISMATERIAL.
6 Copyright©2016,CyberGreen Sept2016
![Page 7: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/7.jpg)
About SSDP
7 Copyright©2016,CyberGreen Sept2016
![Page 8: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/8.jpg)
Simple Service Discovery Protocol (SSDP)
SimpleServiceDiscoveryProtocol(SSDP)isthestandardsearchprotocolforUniversalPlugandPlay(UPnP)ItallowscomputersandvariousothernetworkconnecteddevicestocommunicatewitheachotherItsimplifiesthediscoveryandcontrolofnetworkdevicesonalocalnetwork
8 Copyright©2016,CyberGreen Sept2016
![Page 9: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/9.jpg)
Universal Plug and Play (UPnP)
UPnPenabledbydefaultonmanydevices:smartTVs,IPcameras,printers,mediaserversandrouters,andmostoperatingsystemsUPnPprovides• Incomingportmappingonhomerouters• Identificationofnetworkprinters• ManagementofmediaservicesAlsousedinmany“smarthome”controltechnologies:programmablethermostats,wirelesssecuritysystems,homehubsandInternetassistants
9 Copyright©2016,CyberGreen Sept2016
![Page 10: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/10.jpg)
How UPnP uses SSDP to discover services
10 Copyright©2016,CyberGreen Sept2016
![Page 11: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/11.jpg)
What is open SSDP?
“OpenSSDP”referstoadevicethatisrunningSSDPandrespondstoUPnPdiscoveryrequestsfromtheInternet
11 Copyright©2016,CyberGreen Sept2016
![Page 12: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/12.jpg)
Risks posed by open SSDP
DevicesrunningopenSSDPcanbeusedinreflectionattacks,atypeoftrafficamplificationattack• Denialofservice(DoS)– attackertriesmakeavictim’s
machineornetworkunavailabletoitsintendedusers• Amplification– whentheattackersendsasmallpacket
toaserverthatwillgeneratealargereplyInamplificationdistributeddenialofservice(DDoS)attacks,attackerssimultaneousabusemultipleamplifierssuchasSSDPservers• Createshighly-distributedDoS attackconductedfroma
singlecommandandcontrolhost
12 Copyright©2016,CyberGreen Sept2016
![Page 13: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/13.jpg)
Open SSDP in reflection attacks
Attackertriestoexhaustthevictim'sbandwidthbyabusingthefactthatserversusingprotocolssuchasSSDPallowspoofingofsenderIPaddressesReflectionattacksoftenexploitUserDatagramProtocol(UDP)traffic• UDPrespondstorequests
withoutvalidationofsenderidentity,i.e.IPaddress
• UDPtrafficcanbespoofed(i.e.haveamisleadingapparentsourceIPaddress):attackercanhidetrueidentity
13 Copyright©2016,CyberGreen Sept2016
![Page 14: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/14.jpg)
SSDP reflection amplification attack
ADDoSthatreliesonpublicallyaccessibleopenSSDPserverstooverwhelmavictimsystemwithSSDPresponsetraffic• Canresultintheinitialtrafficfromtheattackerbeing
amplifiedbyafactorof30[1]
Onlyscalableandeffectivemitigationistoreducenumberofserversthatcanbeusedbyattackers• Asof08/30/16,Shadowserverreported7,864,584
uniqueIPswithopenSSDP;seehttps://ssdpscan.shadowserver.org/stats/
14 Copyright©2016,CyberGreen Sept2016
[1]http://www.us-cert.gov/ncas/alerts/TA14-017A
![Page 15: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/15.jpg)
15 Copyright©2016,CyberGreen Sept2016
![Page 16: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/16.jpg)
16 Copyright©2016,CyberGreen Sept2016
Real life attack using open SSDP
September2014reportofattackusingopenSSDP[2]
• Documentedtrafficatarateof476Megabits/second(Mb/s)
• Trafficoriginatedfrom111,000differentIPsourcesThesecondhalfof2014sawadramaticriseinthenumberofattacksusingopenSSDP[3]
Mostsignificantimpactisdownstreamimpactstootherswhoaretargetedvictimsofsuchattacks
[2]https://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-using-ssdp.html[3]https://www.arbornetworks.com/arbor-networks-atlas-data-shows-reflection-ddos-attacks-continue-to-be-significant-in-q3-2014
![Page 17: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/17.jpg)
17 Copyright©2016,CyberGreen Sept2016
Potential impacts from SSDP attacks
Productivity• Serviceinterruptionorfailureofbusinessoperations
relyingonnetworkconnectivity,particularlyforseasonaloperations- e.g.onlineretailerswhereamajorityofsaleshappenbetweenThanksgivingandNewYears
• Timesensitiveoperations,e.g.collegeswithlimitedonlineregistrationperiodsoronlinewageringonupcomingsportingevents,etc.
![Page 18: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/18.jpg)
18 Copyright©2016,CyberGreen Sept2016
Other potential SSDP attack impacts
Brand• Lossofreputationwithcustomersandpartners• Becomingknownasa“DoSmagnet”inglobalcommunityTechnical• Networkserviceinterrupted• Isolationofvictimnetworkbynetworkprovidersfrom
therestofInternettomitigatecollateraldamagetoothercustomers
Financial• Lossofbusinessresultingfromserviceinterruption• CostofspecializedDDoSmitigationservices
![Page 19: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/19.jpg)
19 Copyright©2016,CyberGreen Sept2016
Indirect impacts from Open SSDP attacks
YoumaybeimpactedifavictimorganizationsharesyourupstreamconnectivityOpenSSDPdevicesonyournetworkmaybeusedtocontributetoanattackonanotherorganizationPotentialindirectimpactsinclude:Technical• Networkservicedegraded• Inboundoroutboundbandwidthmaybereduced• Networkprovidersmayisolateyournetwork(orat
leastyourinsecurerecursiveresolver)fromtherestofInternet
![Page 20: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/20.jpg)
20 Copyright©2016,CyberGreen Sept2016
Other indirect impacts
Brand• Lossofreputationwithcustomersandpartnersduetoslow
orunreliablenetworkandsystemsFinancial• Unexpectednetworkusagecosts• Lossofbusinessresultingfromservicedegradation
![Page 21: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/21.jpg)
Mitigate risks from open SSDP
21 Copyright©2016,CyberGreen Sept2016
![Page 22: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/22.jpg)
22 Copyright©2016,CyberGreen Sept2016
Mitigation options vary by environment
NotallmitigationbestpracticesareappropriateforallenvironmentsCyberGreenprovidesinformationrelevanttofourbasicenvironmentalprofilesLookfortheseiconstofindmitigationsforyourenvironment
1.
2.
3.
4.
![Page 23: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/23.jpg)
23 Copyright©2016,CyberGreen Sept2016
Mitigate risks from open SSDP
ThebestwaytomitigaterisksfromopenSSDPmovingforwardistonotpurchaseordeploydeviceswithUPnPenabledonoutsideinterfacesWorkwithyourinternalacquisitionandprocurementteams,orvendorsaboutotheroptions
![Page 24: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/24.jpg)
24 Copyright©2016,CyberGreen Sept2016
Identify your open SSDP risk
Evenifyoudon’tthinkyourdevicescurrentlyrunSSDPacrosstheInternet,youshouldcheckyournetwork• ManydevicesmayberunningSSDPwithoutyour
knowledge• AdditionalvulnerabilitiesinUPnPdiscoveredthat
couldposeadditional,directrisktoorganizationshthatallowSSDPfromtheInternet
o Mitigationstrategiesshouldincludeaddressingknownvulnerabilities
![Page 25: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/25.jpg)
25 Copyright©2016,CyberGreen Sept2016
Find hosts running SSDP
Inashellwindow,starttcpdump:tcpdump –n host [IP]
Inasecondshellwindow,enter:perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"' > /dev/udp/[IP]/1900
IfyourdevicehasSSDPenabled,youshouldseealotoftrafficinthefirstshellwindow(runningtcpdump)
![Page 26: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/26.jpg)
26 Copyright©2016,CyberGreen Sept2016
Mitigation: Block SSDP at network edge
SSDPgenerallynotneededacrosstheInternetOrganizationsshoulddeployfirewallrulesthatblockinboundport1900/udp• IfyouneedSSDPorUPnP,restrictaccesstoonlyallow
trustedhostsonthatport• IfyourunapplicationsacrosstheInternetthatdepend
onUPnPandyoublocktheservice,someapplicationsmaycontinuetoworkwithlesserperformanceo E.g.MicrosoftLiveMessengerusesUPnPforfiletransfers;
ifUPnPisnotavailable,itwilluseaproxyserverfromMicrosoftthatmaybemorecongested
![Page 27: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/27.jpg)
27 Copyright©2016,CyberGreen Sept2016
Mitigation: Block SSDP
UseAccessControlLists(ACLs)torestrictSSPDatborderrouters
PleaserefertoyourspecificvendordocumentationforinstructionsonhowtoimplementthesechangesBlockingSSDPfromInternetordisablingonlyonInternetwillpreservelocalnetworkfunctionality
![Page 28: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/28.jpg)
28 Copyright©2016,CyberGreen Sept2016
Mitigation: Disable UPnP
IfblockingorupgradingUPnPisnotanoption,disableUPnP,particularlyonInternet-accessibledevices
UnPlug n’PrayutilityfromGibsonResearchCompanyhelpsconsumersshutdownanddisableUPnPontheirWindowsdevices- availableforfreeathttps://www.grc.com/unpnp/unpnp.htm
![Page 29: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/29.jpg)
29 Copyright©2016,CyberGreen Sept2016
Mitigation: Update UPnP devices
VulnerabilitiesinUPnPposeadditionalrisk• TwomostcommonlyusedUPnPsoftwarelibrariescontain
vulnerabilities [4]thatareremotelyexploitablethroughasingleUDPpacket,whichcanbeforged
• Somevulnerabilitieswouldallowremote,unauthenticatedattackerstoscaninternalhostsorproxyInternettrafficthroughthedevice
Contactyourvendortofindoutifafirmwareupdateisavailable• http://www.kb.cert.org/vuls/id/357851• https://web.nvd.nist.gov/view/vuln/search-results?query=ssdp• https://web.nvd.nist.gov/view/vuln/search-results?query=udp[4]https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-
play
![Page 30: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/30.jpg)
30 Copyright©2016,CyberGreen Sept2016
Spoofed Traffic Mitigation: Implement ingress filtering on networks
InternetEngineeringTaskForce(IETF)BestCurrentPractice(BCP)documents• Detailconfigurationchangestosubstantially
reducepotentialforsourceIPspoofedattacksofallkinds(themostpopulartypesofDDoSattacks)o Howtofilternetworktrafficon
networktoverifythesourceaddressofapacket
o Rejectpacketswithsourceaddressesthatarenotreachableviatheactualpacket’spath
![Page 31: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/31.jpg)
31 Copyright©2016,CyberGreen Sept2016
IETF BCPs recommended
AllnetworkoperatorsshouldperformnetworkingressfilteringasdescribedintheseBCPs:BCP-38NetworkIngressFiltering• DefeatingDenialofServiceAttackswhichemploy
IPSourceAddressSpoofing:https://tools.ietf.org/html/bcp38
BCP-84IngressFilteringforMultihomed Networks• https://tools.ietf.org/html/bcp84
![Page 32: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/32.jpg)
32 Copyright©2016,CyberGreen Sept2016
More info on IETF BCPs
TestwhetheryournetworkcurrentlyfollowsBCP-38usingtoolsfromtheSpoofer Project:https://www.caida.org/projects/spoofer/
AdditionaldetailsabouthowtoimplementBCP-38:http://www.bcp38.info/index.php/Main_Page
![Page 33: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/33.jpg)
33 Copyright©2016,CyberGreen Sept2016
Additional mitigations for ISPs
ISPsshouldensurethattheyhaveaDDoSdefensethatismulti-layered,anddesignedtodealwith:
• Attacksthatcansaturatetheirconnectivity• “Lowandslow”sophisticatedapplicationlayer
attacksConsiderratelimitedUDPfragments• Note:BlockingUDPfragmentsnegativelyaffectssession
initiationprotocol(SIP),theprotocolforVoiceoverIP(VoIP),andothertextandmultimediasessionslikeinstantmessaging,video,onlinegamesandotherservices
![Page 34: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/34.jpg)
34 Copyright©2016,CyberGreen Sept2016
Verify your fix
Re-runthecommand:tcpdump –n host [IP]
EnsureopenSSDPisnotenabledagaininthefutureandmonitoryourinfrastructurebysubscribingtofreereportsfromShadowserver:
https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
![Page 35: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/35.jpg)
35 Copyright©2016,CyberGreen Sept2016
Additional SSDP resources
https://www.akamai.com/uk/en/multimedia/documents/state-of-the-Internet/ssdp-reflection-ddos-attacks-threat-advisory.pdfhttp://www.us-cert.gov/ncas/alerts/TA14-017Ahttp://www.kb.cert.org/vuls/id/922681http://www.upnp-hacks.org/faq.htmlhttp://community.rapid7.com/docs/DOC-2150https://threatpost.com/50-million-potentially-vulnerable-upnp-flaws-012913/77465/http://www.darkreading.com/attacks-breaches/report-iot-connected-devices-leading-to-rise-in-ssdp-based-reflection-attacks-/d/d-id/1320149http://www.christian-rossow.de/articles/Amplification_DDoS.php
![Page 36: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/36.jpg)
Making the case for implementing mitigations such as BCP 38
36 Copyright©2016,CyberGreen Sept2016
![Page 37: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/37.jpg)
37 Copyright©2016,CyberGreen Sept2016
Making the case for mitigations
IHelpeveryoneunderstandthelevelofeffortneededtoimprovecyberhealthintheircommunityWhyimplementthemitigationsinyourenvironment?1. ItistherightthingtodoasagoodInternet
neighbor2. Yourorganizationmaybenexttobe
attackedLet’sjointogetherandstopbadguysfromwinning!
![Page 38: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/38.jpg)
38 Copyright©2016,CyberGreen Sept2016
Changing risk landscape
Increasedneedtodemonstrate“duecare”o Obtainingcyberinsuranceo Complyingwithriskframeworkstowinbusinesswith
local/nationalgovernmentsandlargecorporations
Ifwe(you!)don’tdoabetterjobofsecuringourowninfrastructureandreducingcyberrisk,governmentregulationmayforceadditionalmandatesand/orpenalties
![Page 39: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/39.jpg)
39 Copyright©2016,CyberGreen Sept2016
Anticipated organizational benefits
Increasedproductivity• Fewerserviceinterruptionsandfailures
Improvednetworkperformance• Existingnetworkmore
reliableandresilient,withgreatercapacity
Improvedbrandreputation• Technicalreliabilityand
securityasellingpointtocustomers
![Page 40: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/40.jpg)
40 Copyright©2016,CyberGreen Sept2016
More anticipated benefits
• Decreasedbudgetuncertaintyo FewerunanticipatedusagecostsforITo Budgetcanbeusedasplanned,e.g.- upgrading
technicalcapability/capacity,additionalpersonnel,etc.
• Systemadminsmayspendlesstimespenttryingtodealwithunexpectedproblems,whichinturnmayimprovetheirproductivityandreduceunexpectedovertime
![Page 41: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/41.jpg)
41 Copyright©2016,CyberGreen Sept2016
What do you need to implement these mitigations?
Commandsandconfigurationdetailsformostimportantmitigationsarepublicallyavailable• Noadditionalsoftwaremustbepurchased• Implementingthesemitigationsdoesnotrequireany
specialknowledge,skills,orabilitiesNote:AllmitigationsshouldbecarefullyreviewedinlightofyourspecificbusinessrequirementsandinfrastructureenvironmentbeforeproceedingAllorganizationalchangemanagementprocesses,includingtesting,shouldbefollowed
![Page 42: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/42.jpg)
42 Copyright©2016,CyberGreen Sept2016
How long will mitigations take?
ManuallydisablingSSDPtakesafewminutesperdevice
Systemadministratorsinsmallerorganizationsneedan1-2hoursperperimeterdevicetoinvestigate,implementandverifythebasicmitigationofusingfirewallorACLstoblockaccesstoSSDP
ISPsandlargeentitiescanautomateadministrationchangeswithconfigurationmanagement(Salt,Ansible)
![Page 43: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/43.jpg)
43 Copyright©2016,CyberGreen Sept2016
Smallbusinesses:fromafewminutestolessthananhour
Largerandmorecomplexorganizations:daystoweeks
Bonus:withnorealmaintenance,therecurringcostiseffectivelyzero!
How long to implement BCP-38 network ingress filtering?
![Page 44: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/44.jpg)
Acknowledgement CyberGreenwouldliketothanktheexpertswhomadethecreationofthisdocumentpossible:
Writtenby:- LaurinBuchanan,Applied Visions, Inc.– SecureDecisions Division
Contributed andReviewedby:- MattCarothers,CoxCommunications- Baiba Kaskina,CERT.LV- MotoKawasaki,JPCERT/CC- ArtManion,CERT/CC- Yoshinobu Matsuzaki, IIJ- JoeStSauver,Farsight Security- DavidWatson,ShadowServer Foundation
Disclaimer:CyberGreenbelievesthisguidanceandtheadvicefromourexpertsshouldbeofbenefittoanyonemitigatingariskconditions,butitisnotadvicespecifictoanyreaderornetwork.Ultimately,eachreaderisresponsibleforimplementinghisorherownnetwork remediationstrategyandweassumenoresponsibilityorliabilitytherefore.
44 Copyright©2016,CyberGreen Sept2016
![Page 45: Risk Mitigation for Open SSDP - CyberGreen OpenSSDP... · Risk Mitigation for Open SSDP ... • Network providers may isolate your network ... attackers to scan internal hosts or](https://reader035.fdocuments.us/reader035/viewer/2022062302/5aaed79f7f8b9aa8438c9430/html5/thumbnails/45.jpg)
Formoreinformationaboutriskmitigationbestpractices
pleasecontact:[email protected]
45 Copyright©2016,CyberGreen Sept2016