Risk Mitigation for Open SSDP
Copyright©2016,CyberGreen Sept2016
Agenda
1. Introduction2. AboutSSDP3. MitigationrecommendationsforopenSSDP4. Makingthecaseforimplementingmitigations
2 Copyright©2016,CyberGreen Sept2016
Introduction
WhencyberinfrastructureisinsecurethereisarisktotheglobalInternetcommunitySimpleServiceDiscoveryProtocol(SSDP)isthestandardsearchprotocolforUniversalPlugandPlay(UPnP)
3 Copyright©2016,CyberGreen Sept2016
Introduction
UPnPispervasive- itisenabledbydefaultonhomegateways,networkprinters,webcams,networkstorageservers,and“smarthome”devicessuchasthermostats,automatedassistantsandwirelesshomesecuritysystemsthatarepartoftheInternetofThings(IoT)
4 Copyright©2016,CyberGreen Sept2016
About CyberGreen
• Globalnon-profitandcollaborativeorganizationfocusedonhelpingimprovethehealthofglobalCyberEcosystem
• WorkingtoprovidereliablemetricsandmitigationbestpracticeinformationtoCyberSecurityIncidentResponseTeams(CSIRTs),networkoperators,andpolicymakers
• Mission:helpCSIRTsandothersfocusremediationeffortsonthemostimportantriskso Helpunderstandwhereimprovementscanbemadeo Howwecanachieveamoresustainable,secure,and
resilientcyberecosystem
5 Copyright©2016,CyberGreen Sept2016
Copyright (c) 2016, CyberGreen
Thesematerialsaredistributedunderthefollowinglicense:Permissiontouse,copy,modify,and/ordistributethesematerialsforanypurposewithorwithoutfeeisherebygranted,providedthattheabovecopyrightnoticeandthispermissionnoticeappearinallcopies.THEMATERIALISPROVIDED"ASIS"ANDTHEAUTHORDISCLAIMSALLWARRANTIESWITHREGARDTOTHISMATERIALINCLUDINGALLIMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESS.INNOEVENTSHALLTHEAUTHORBELIABLEFORANYSPECIAL,DIRECT,INDIRECT,ORCONSEQUENTIALDAMAGESORANYDAMAGESWHATSOEVERRESULTINGFROMLOSSOFUSE,DATAORPROFITS,WHETHERINANACTIONOFCONTRACT,NEGLIGENCEOROTHERTORTIOUSACTION,ARISINGOUTOFORINCONNECTIONWITHTHEUSEORPERFORMANCEOFTHISMATERIAL.
6 Copyright©2016,CyberGreen Sept2016
About SSDP
7 Copyright©2016,CyberGreen Sept2016
Simple Service Discovery Protocol (SSDP)
SimpleServiceDiscoveryProtocol(SSDP)isthestandardsearchprotocolforUniversalPlugandPlay(UPnP)ItallowscomputersandvariousothernetworkconnecteddevicestocommunicatewitheachotherItsimplifiesthediscoveryandcontrolofnetworkdevicesonalocalnetwork
8 Copyright©2016,CyberGreen Sept2016
Universal Plug and Play (UPnP)
UPnPenabledbydefaultonmanydevices:smartTVs,IPcameras,printers,mediaserversandrouters,andmostoperatingsystemsUPnPprovides• Incomingportmappingonhomerouters• Identificationofnetworkprinters• ManagementofmediaservicesAlsousedinmany“smarthome”controltechnologies:programmablethermostats,wirelesssecuritysystems,homehubsandInternetassistants
9 Copyright©2016,CyberGreen Sept2016
How UPnP uses SSDP to discover services
10 Copyright©2016,CyberGreen Sept2016
What is open SSDP?
“OpenSSDP”referstoadevicethatisrunningSSDPandrespondstoUPnPdiscoveryrequestsfromtheInternet
11 Copyright©2016,CyberGreen Sept2016
Risks posed by open SSDP
DevicesrunningopenSSDPcanbeusedinreflectionattacks,atypeoftrafficamplificationattack• Denialofservice(DoS)– attackertriesmakeavictim’s
machineornetworkunavailabletoitsintendedusers• Amplification– whentheattackersendsasmallpacket
toaserverthatwillgeneratealargereplyInamplificationdistributeddenialofservice(DDoS)attacks,attackerssimultaneousabusemultipleamplifierssuchasSSDPservers• Createshighly-distributedDoS attackconductedfroma
singlecommandandcontrolhost
12 Copyright©2016,CyberGreen Sept2016
Open SSDP in reflection attacks
Attackertriestoexhaustthevictim'sbandwidthbyabusingthefactthatserversusingprotocolssuchasSSDPallowspoofingofsenderIPaddressesReflectionattacksoftenexploitUserDatagramProtocol(UDP)traffic• UDPrespondstorequests
withoutvalidationofsenderidentity,i.e.IPaddress
• UDPtrafficcanbespoofed(i.e.haveamisleadingapparentsourceIPaddress):attackercanhidetrueidentity
13 Copyright©2016,CyberGreen Sept2016
SSDP reflection amplification attack
ADDoSthatreliesonpublicallyaccessibleopenSSDPserverstooverwhelmavictimsystemwithSSDPresponsetraffic• Canresultintheinitialtrafficfromtheattackerbeing
amplifiedbyafactorof30[1]
Onlyscalableandeffectivemitigationistoreducenumberofserversthatcanbeusedbyattackers• Asof08/30/16,Shadowserverreported7,864,584
uniqueIPswithopenSSDP;seehttps://ssdpscan.shadowserver.org/stats/
14 Copyright©2016,CyberGreen Sept2016
[1]http://www.us-cert.gov/ncas/alerts/TA14-017A
15 Copyright©2016,CyberGreen Sept2016
16 Copyright©2016,CyberGreen Sept2016
Real life attack using open SSDP
September2014reportofattackusingopenSSDP[2]
• Documentedtrafficatarateof476Megabits/second(Mb/s)
• Trafficoriginatedfrom111,000differentIPsourcesThesecondhalfof2014sawadramaticriseinthenumberofattacksusingopenSSDP[3]
Mostsignificantimpactisdownstreamimpactstootherswhoaretargetedvictimsofsuchattacks
[2]https://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-using-ssdp.html[3]https://www.arbornetworks.com/arbor-networks-atlas-data-shows-reflection-ddos-attacks-continue-to-be-significant-in-q3-2014
17 Copyright©2016,CyberGreen Sept2016
Potential impacts from SSDP attacks
Productivity• Serviceinterruptionorfailureofbusinessoperations
relyingonnetworkconnectivity,particularlyforseasonaloperations- e.g.onlineretailerswhereamajorityofsaleshappenbetweenThanksgivingandNewYears
• Timesensitiveoperations,e.g.collegeswithlimitedonlineregistrationperiodsoronlinewageringonupcomingsportingevents,etc.
18 Copyright©2016,CyberGreen Sept2016
Other potential SSDP attack impacts
Brand• Lossofreputationwithcustomersandpartners• Becomingknownasa“DoSmagnet”inglobalcommunityTechnical• Networkserviceinterrupted• Isolationofvictimnetworkbynetworkprovidersfrom
therestofInternettomitigatecollateraldamagetoothercustomers
Financial• Lossofbusinessresultingfromserviceinterruption• CostofspecializedDDoSmitigationservices
19 Copyright©2016,CyberGreen Sept2016
Indirect impacts from Open SSDP attacks
YoumaybeimpactedifavictimorganizationsharesyourupstreamconnectivityOpenSSDPdevicesonyournetworkmaybeusedtocontributetoanattackonanotherorganizationPotentialindirectimpactsinclude:Technical• Networkservicedegraded• Inboundoroutboundbandwidthmaybereduced• Networkprovidersmayisolateyournetwork(orat
leastyourinsecurerecursiveresolver)fromtherestofInternet
20 Copyright©2016,CyberGreen Sept2016
Other indirect impacts
Brand• Lossofreputationwithcustomersandpartnersduetoslow
orunreliablenetworkandsystemsFinancial• Unexpectednetworkusagecosts• Lossofbusinessresultingfromservicedegradation
Mitigate risks from open SSDP
21 Copyright©2016,CyberGreen Sept2016
22 Copyright©2016,CyberGreen Sept2016
Mitigation options vary by environment
NotallmitigationbestpracticesareappropriateforallenvironmentsCyberGreenprovidesinformationrelevanttofourbasicenvironmentalprofilesLookfortheseiconstofindmitigationsforyourenvironment
1.
2.
3.
4.
23 Copyright©2016,CyberGreen Sept2016
Mitigate risks from open SSDP
ThebestwaytomitigaterisksfromopenSSDPmovingforwardistonotpurchaseordeploydeviceswithUPnPenabledonoutsideinterfacesWorkwithyourinternalacquisitionandprocurementteams,orvendorsaboutotheroptions
24 Copyright©2016,CyberGreen Sept2016
Identify your open SSDP risk
Evenifyoudon’tthinkyourdevicescurrentlyrunSSDPacrosstheInternet,youshouldcheckyournetwork• ManydevicesmayberunningSSDPwithoutyour
knowledge• AdditionalvulnerabilitiesinUPnPdiscoveredthat
couldposeadditional,directrisktoorganizationshthatallowSSDPfromtheInternet
o Mitigationstrategiesshouldincludeaddressingknownvulnerabilities
25 Copyright©2016,CyberGreen Sept2016
Find hosts running SSDP
Inashellwindow,starttcpdump:tcpdump –n host [IP]
Inasecondshellwindow,enter:perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"' > /dev/udp/[IP]/1900
IfyourdevicehasSSDPenabled,youshouldseealotoftrafficinthefirstshellwindow(runningtcpdump)
26 Copyright©2016,CyberGreen Sept2016
Mitigation: Block SSDP at network edge
SSDPgenerallynotneededacrosstheInternetOrganizationsshoulddeployfirewallrulesthatblockinboundport1900/udp• IfyouneedSSDPorUPnP,restrictaccesstoonlyallow
trustedhostsonthatport• IfyourunapplicationsacrosstheInternetthatdepend
onUPnPandyoublocktheservice,someapplicationsmaycontinuetoworkwithlesserperformanceo E.g.MicrosoftLiveMessengerusesUPnPforfiletransfers;
ifUPnPisnotavailable,itwilluseaproxyserverfromMicrosoftthatmaybemorecongested
27 Copyright©2016,CyberGreen Sept2016
Mitigation: Block SSDP
UseAccessControlLists(ACLs)torestrictSSPDatborderrouters
PleaserefertoyourspecificvendordocumentationforinstructionsonhowtoimplementthesechangesBlockingSSDPfromInternetordisablingonlyonInternetwillpreservelocalnetworkfunctionality
28 Copyright©2016,CyberGreen Sept2016
Mitigation: Disable UPnP
IfblockingorupgradingUPnPisnotanoption,disableUPnP,particularlyonInternet-accessibledevices
UnPlug n’PrayutilityfromGibsonResearchCompanyhelpsconsumersshutdownanddisableUPnPontheirWindowsdevices- availableforfreeathttps://www.grc.com/unpnp/unpnp.htm
29 Copyright©2016,CyberGreen Sept2016
Mitigation: Update UPnP devices
VulnerabilitiesinUPnPposeadditionalrisk• TwomostcommonlyusedUPnPsoftwarelibrariescontain
vulnerabilities [4]thatareremotelyexploitablethroughasingleUDPpacket,whichcanbeforged
• Somevulnerabilitieswouldallowremote,unauthenticatedattackerstoscaninternalhostsorproxyInternettrafficthroughthedevice
Contactyourvendortofindoutifafirmwareupdateisavailable• http://www.kb.cert.org/vuls/id/357851• https://web.nvd.nist.gov/view/vuln/search-results?query=ssdp• https://web.nvd.nist.gov/view/vuln/search-results?query=udp[4]https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-
play
30 Copyright©2016,CyberGreen Sept2016
Spoofed Traffic Mitigation: Implement ingress filtering on networks
InternetEngineeringTaskForce(IETF)BestCurrentPractice(BCP)documents• Detailconfigurationchangestosubstantially
reducepotentialforsourceIPspoofedattacksofallkinds(themostpopulartypesofDDoSattacks)o Howtofilternetworktrafficon
networktoverifythesourceaddressofapacket
o Rejectpacketswithsourceaddressesthatarenotreachableviatheactualpacket’spath
31 Copyright©2016,CyberGreen Sept2016
IETF BCPs recommended
AllnetworkoperatorsshouldperformnetworkingressfilteringasdescribedintheseBCPs:BCP-38NetworkIngressFiltering• DefeatingDenialofServiceAttackswhichemploy
IPSourceAddressSpoofing:https://tools.ietf.org/html/bcp38
BCP-84IngressFilteringforMultihomed Networks• https://tools.ietf.org/html/bcp84
32 Copyright©2016,CyberGreen Sept2016
More info on IETF BCPs
TestwhetheryournetworkcurrentlyfollowsBCP-38usingtoolsfromtheSpoofer Project:https://www.caida.org/projects/spoofer/
AdditionaldetailsabouthowtoimplementBCP-38:http://www.bcp38.info/index.php/Main_Page
33 Copyright©2016,CyberGreen Sept2016
Additional mitigations for ISPs
ISPsshouldensurethattheyhaveaDDoSdefensethatismulti-layered,anddesignedtodealwith:
• Attacksthatcansaturatetheirconnectivity• “Lowandslow”sophisticatedapplicationlayer
attacksConsiderratelimitedUDPfragments• Note:BlockingUDPfragmentsnegativelyaffectssession
initiationprotocol(SIP),theprotocolforVoiceoverIP(VoIP),andothertextandmultimediasessionslikeinstantmessaging,video,onlinegamesandotherservices
34 Copyright©2016,CyberGreen Sept2016
Verify your fix
Re-runthecommand:tcpdump –n host [IP]
EnsureopenSSDPisnotenabledagaininthefutureandmonitoryourinfrastructurebysubscribingtofreereportsfromShadowserver:
https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
35 Copyright©2016,CyberGreen Sept2016
Additional SSDP resources
https://www.akamai.com/uk/en/multimedia/documents/state-of-the-Internet/ssdp-reflection-ddos-attacks-threat-advisory.pdfhttp://www.us-cert.gov/ncas/alerts/TA14-017Ahttp://www.kb.cert.org/vuls/id/922681http://www.upnp-hacks.org/faq.htmlhttp://community.rapid7.com/docs/DOC-2150https://threatpost.com/50-million-potentially-vulnerable-upnp-flaws-012913/77465/http://www.darkreading.com/attacks-breaches/report-iot-connected-devices-leading-to-rise-in-ssdp-based-reflection-attacks-/d/d-id/1320149http://www.christian-rossow.de/articles/Amplification_DDoS.php
Making the case for implementing mitigations such as BCP 38
36 Copyright©2016,CyberGreen Sept2016
37 Copyright©2016,CyberGreen Sept2016
Making the case for mitigations
IHelpeveryoneunderstandthelevelofeffortneededtoimprovecyberhealthintheircommunityWhyimplementthemitigationsinyourenvironment?1. ItistherightthingtodoasagoodInternet
neighbor2. Yourorganizationmaybenexttobe
attackedLet’sjointogetherandstopbadguysfromwinning!
38 Copyright©2016,CyberGreen Sept2016
Changing risk landscape
Increasedneedtodemonstrate“duecare”o Obtainingcyberinsuranceo Complyingwithriskframeworkstowinbusinesswith
local/nationalgovernmentsandlargecorporations
Ifwe(you!)don’tdoabetterjobofsecuringourowninfrastructureandreducingcyberrisk,governmentregulationmayforceadditionalmandatesand/orpenalties
39 Copyright©2016,CyberGreen Sept2016
Anticipated organizational benefits
Increasedproductivity• Fewerserviceinterruptionsandfailures
Improvednetworkperformance• Existingnetworkmore
reliableandresilient,withgreatercapacity
Improvedbrandreputation• Technicalreliabilityand
securityasellingpointtocustomers
40 Copyright©2016,CyberGreen Sept2016
More anticipated benefits
• Decreasedbudgetuncertaintyo FewerunanticipatedusagecostsforITo Budgetcanbeusedasplanned,e.g.- upgrading
technicalcapability/capacity,additionalpersonnel,etc.
• Systemadminsmayspendlesstimespenttryingtodealwithunexpectedproblems,whichinturnmayimprovetheirproductivityandreduceunexpectedovertime
41 Copyright©2016,CyberGreen Sept2016
What do you need to implement these mitigations?
Commandsandconfigurationdetailsformostimportantmitigationsarepublicallyavailable• Noadditionalsoftwaremustbepurchased• Implementingthesemitigationsdoesnotrequireany
specialknowledge,skills,orabilitiesNote:AllmitigationsshouldbecarefullyreviewedinlightofyourspecificbusinessrequirementsandinfrastructureenvironmentbeforeproceedingAllorganizationalchangemanagementprocesses,includingtesting,shouldbefollowed
42 Copyright©2016,CyberGreen Sept2016
How long will mitigations take?
ManuallydisablingSSDPtakesafewminutesperdevice
Systemadministratorsinsmallerorganizationsneedan1-2hoursperperimeterdevicetoinvestigate,implementandverifythebasicmitigationofusingfirewallorACLstoblockaccesstoSSDP
ISPsandlargeentitiescanautomateadministrationchangeswithconfigurationmanagement(Salt,Ansible)
43 Copyright©2016,CyberGreen Sept2016
Smallbusinesses:fromafewminutestolessthananhour
Largerandmorecomplexorganizations:daystoweeks
Bonus:withnorealmaintenance,therecurringcostiseffectivelyzero!
How long to implement BCP-38 network ingress filtering?
Acknowledgement CyberGreenwouldliketothanktheexpertswhomadethecreationofthisdocumentpossible:
Writtenby:- LaurinBuchanan,Applied Visions, Inc.– SecureDecisions Division
Contributed andReviewedby:- MattCarothers,CoxCommunications- Baiba Kaskina,CERT.LV- MotoKawasaki,JPCERT/CC- ArtManion,CERT/CC- Yoshinobu Matsuzaki, IIJ- JoeStSauver,Farsight Security- DavidWatson,ShadowServer Foundation
Disclaimer:CyberGreenbelievesthisguidanceandtheadvicefromourexpertsshouldbeofbenefittoanyonemitigatingariskconditions,butitisnotadvicespecifictoanyreaderornetwork.Ultimately,eachreaderisresponsibleforimplementinghisorherownnetwork remediationstrategyandweassumenoresponsibilityorliabilitytherefore.
44 Copyright©2016,CyberGreen Sept2016
Formoreinformationaboutriskmitigationbestpractices
pleasecontact:[email protected]
45 Copyright©2016,CyberGreen Sept2016