risk mitigation for open ssdp - cybergreen openssdp... · risk mitigation for open ssdp ... •...

Risk Mitigation for Open SSDP

Copyright©2016,CyberGreen Sept2016

Agenda

1. Introduction2. AboutSSDP3. MitigationrecommendationsforopenSSDP4. Makingthecaseforimplementingmitigations

2 Copyright©2016,CyberGreen Sept2016

Introduction

WhencyberinfrastructureisinsecurethereisarisktotheglobalInternetcommunitySimpleServiceDiscoveryProtocol(SSDP)isthestandardsearchprotocolforUniversalPlugandPlay(UPnP)


Introduction

UPnPispervasive- itisenabledbydefaultonhomegateways,networkprinters,webcams,networkstorageservers,and“smarthome”devicessuchasthermostats,automatedassistantsandwirelesshomesecuritysystemsthatarepartoftheInternetofThings(IoT)


About CyberGreen

• Globalnon-profitandcollaborativeorganizationfocusedonhelpingimprovethehealthofglobalCyberEcosystem

• WorkingtoprovidereliablemetricsandmitigationbestpracticeinformationtoCyberSecurityIncidentResponseTeams(CSIRTs),networkoperators,andpolicymakers

• Mission:helpCSIRTsandothersfocusremediationeffortsonthemostimportantriskso Helpunderstandwhereimprovementscanbemadeo Howwecanachieveamoresustainable,secure,and

resilientcyberecosystem


Copyright (c) 2016, CyberGreen

Thesematerialsaredistributedunderthefollowinglicense:Permissiontouse,copy,modify,and/ordistributethesematerialsforanypurposewithorwithoutfeeisherebygranted,providedthattheabovecopyrightnoticeandthispermissionnoticeappearinallcopies.THEMATERIALISPROVIDED"ASIS"ANDTHEAUTHORDISCLAIMSALLWARRANTIESWITHREGARDTOTHISMATERIALINCLUDINGALLIMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESS.INNOEVENTSHALLTHEAUTHORBELIABLEFORANYSPECIAL,DIRECT,INDIRECT,ORCONSEQUENTIALDAMAGESORANYDAMAGESWHATSOEVERRESULTINGFROMLOSSOFUSE,DATAORPROFITS,WHETHERINANACTIONOFCONTRACT,NEGLIGENCEOROTHERTORTIOUSACTION,ARISINGOUTOFORINCONNECTIONWITHTHEUSEORPERFORMANCEOFTHISMATERIAL.


About SSDP


Simple Service Discovery Protocol (SSDP)

SimpleServiceDiscoveryProtocol(SSDP)isthestandardsearchprotocolforUniversalPlugandPlay(UPnP)ItallowscomputersandvariousothernetworkconnecteddevicestocommunicatewitheachotherItsimplifiesthediscoveryandcontrolofnetworkdevicesonalocalnetwork


Universal Plug and Play (UPnP)

UPnPenabledbydefaultonmanydevices:smartTVs,IPcameras,printers,mediaserversandrouters,andmostoperatingsystemsUPnPprovides• Incomingportmappingonhomerouters• Identificationofnetworkprinters• ManagementofmediaservicesAlsousedinmany“smarthome”controltechnologies:programmablethermostats,wirelesssecuritysystems,homehubsandInternetassistants


How UPnP uses SSDP to discover services


What is open SSDP?

“OpenSSDP”referstoadevicethatisrunningSSDPandrespondstoUPnPdiscoveryrequestsfromtheInternet


Risks posed by open SSDP

DevicesrunningopenSSDPcanbeusedinreflectionattacks,atypeoftrafficamplificationattack• Denialofservice(DoS)– attackertriesmakeavictim’s

machineornetworkunavailabletoitsintendedusers• Amplification– whentheattackersendsasmallpacket

toaserverthatwillgeneratealargereplyInamplificationdistributeddenialofservice(DDoS)attacks,attackerssimultaneousabusemultipleamplifierssuchasSSDPservers• Createshighly-distributedDoS attackconductedfroma

singlecommandandcontrolhost


Open SSDP in reflection attacks

Attackertriestoexhaustthevictim'sbandwidthbyabusingthefactthatserversusingprotocolssuchasSSDPallowspoofingofsenderIPaddressesReflectionattacksoftenexploitUserDatagramProtocol(UDP)traffic• UDPrespondstorequests

withoutvalidationofsenderidentity,i.e.IPaddress

• UDPtrafficcanbespoofed(i.e.haveamisleadingapparentsourceIPaddress):attackercanhidetrueidentity


SSDP reflection amplification attack

ADDoSthatreliesonpublicallyaccessibleopenSSDPserverstooverwhelmavictimsystemwithSSDPresponsetraffic• Canresultintheinitialtrafficfromtheattackerbeing

amplifiedbyafactorof30[1]

Onlyscalableandeffectivemitigationistoreducenumberofserversthatcanbeusedbyattackers• Asof08/30/16,Shadowserverreported7,864,584

uniqueIPswithopenSSDP;seehttps://ssdpscan.shadowserver.org/stats/


[1]http://www.us-cert.gov/ncas/alerts/TA14-017A


Real life attack using open SSDP

September2014reportofattackusingopenSSDP[2]

• Documentedtrafficatarateof476Megabits/second(Mb/s)

• Trafficoriginatedfrom111,000differentIPsourcesThesecondhalfof2014sawadramaticriseinthenumberofattacksusingopenSSDP[3]

Mostsignificantimpactisdownstreamimpactstootherswhoaretargetedvictimsofsuchattacks

[2]https://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-using-ssdp.html[3]https://www.arbornetworks.com/arbor-networks-atlas-data-shows-reflection-ddos-attacks-continue-to-be-significant-in-q3-2014


Potential impacts from SSDP attacks

Productivity• Serviceinterruptionorfailureofbusinessoperations

relyingonnetworkconnectivity,particularlyforseasonaloperations- e.g.onlineretailerswhereamajorityofsaleshappenbetweenThanksgivingandNewYears

• Timesensitiveoperations,e.g.collegeswithlimitedonlineregistrationperiodsoronlinewageringonupcomingsportingevents,etc.


Other potential SSDP attack impacts

Brand• Lossofreputationwithcustomersandpartners• Becomingknownasa“DoSmagnet”inglobalcommunityTechnical• Networkserviceinterrupted• Isolationofvictimnetworkbynetworkprovidersfrom

therestofInternettomitigatecollateraldamagetoothercustomers

Financial• Lossofbusinessresultingfromserviceinterruption• CostofspecializedDDoSmitigationservices


Indirect impacts from Open SSDP attacks

YoumaybeimpactedifavictimorganizationsharesyourupstreamconnectivityOpenSSDPdevicesonyournetworkmaybeusedtocontributetoanattackonanotherorganizationPotentialindirectimpactsinclude:Technical• Networkservicedegraded• Inboundoroutboundbandwidthmaybereduced• Networkprovidersmayisolateyournetwork(orat

leastyourinsecurerecursiveresolver)fromtherestofInternet


Other indirect impacts

Brand• Lossofreputationwithcustomersandpartnersduetoslow

orunreliablenetworkandsystemsFinancial• Unexpectednetworkusagecosts• Lossofbusinessresultingfromservicedegradation

Mitigate risks from open SSDP



Mitigation options vary by environment

NotallmitigationbestpracticesareappropriateforallenvironmentsCyberGreenprovidesinformationrelevanttofourbasicenvironmentalprofilesLookfortheseiconstofindmitigationsforyourenvironment

1.

2.

3.

4.


Mitigate risks from open SSDP

ThebestwaytomitigaterisksfromopenSSDPmovingforwardistonotpurchaseordeploydeviceswithUPnPenabledonoutsideinterfacesWorkwithyourinternalacquisitionandprocurementteams,orvendorsaboutotheroptions


Identify your open SSDP risk

Evenifyoudon’tthinkyourdevicescurrentlyrunSSDPacrosstheInternet,youshouldcheckyournetwork• ManydevicesmayberunningSSDPwithoutyour

knowledge• AdditionalvulnerabilitiesinUPnPdiscoveredthat

couldposeadditional,directrisktoorganizationshthatallowSSDPfromtheInternet

o Mitigationstrategiesshouldincludeaddressingknownvulnerabilities


Find hosts running SSDP

Inashellwindow,starttcpdump:tcpdump –n host [IP]

Inasecondshellwindow,enter:perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"' > /dev/udp/[IP]/1900

IfyourdevicehasSSDPenabled,youshouldseealotoftrafficinthefirstshellwindow(runningtcpdump)


Mitigation: Block SSDP at network edge

SSDPgenerallynotneededacrosstheInternetOrganizationsshoulddeployfirewallrulesthatblockinboundport1900/udp• IfyouneedSSDPorUPnP,restrictaccesstoonlyallow

trustedhostsonthatport• IfyourunapplicationsacrosstheInternetthatdepend

onUPnPandyoublocktheservice,someapplicationsmaycontinuetoworkwithlesserperformanceo E.g.MicrosoftLiveMessengerusesUPnPforfiletransfers;

ifUPnPisnotavailable,itwilluseaproxyserverfromMicrosoftthatmaybemorecongested


Mitigation: Block SSDP

UseAccessControlLists(ACLs)torestrictSSPDatborderrouters

PleaserefertoyourspecificvendordocumentationforinstructionsonhowtoimplementthesechangesBlockingSSDPfromInternetordisablingonlyonInternetwillpreservelocalnetworkfunctionality


Mitigation: Disable UPnP

IfblockingorupgradingUPnPisnotanoption,disableUPnP,particularlyonInternet-accessibledevices

UnPlug n’PrayutilityfromGibsonResearchCompanyhelpsconsumersshutdownanddisableUPnPontheirWindowsdevices- availableforfreeathttps://www.grc.com/unpnp/unpnp.htm


Mitigation: Update UPnP devices

VulnerabilitiesinUPnPposeadditionalrisk• TwomostcommonlyusedUPnPsoftwarelibrariescontain

vulnerabilities [4]thatareremotelyexploitablethroughasingleUDPpacket,whichcanbeforged

• Somevulnerabilitieswouldallowremote,unauthenticatedattackerstoscaninternalhostsorproxyInternettrafficthroughthedevice

Contactyourvendortofindoutifafirmwareupdateisavailable• http://www.kb.cert.org/vuls/id/357851• https://web.nvd.nist.gov/view/vuln/search-results?query=ssdp• https://web.nvd.nist.gov/view/vuln/search-results?query=udp[4]https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-

play


Spoofed Traffic Mitigation: Implement ingress filtering on networks

InternetEngineeringTaskForce(IETF)BestCurrentPractice(BCP)documents• Detailconfigurationchangestosubstantially

reducepotentialforsourceIPspoofedattacksofallkinds(themostpopulartypesofDDoSattacks)o Howtofilternetworktrafficon

networktoverifythesourceaddressofapacket

o Rejectpacketswithsourceaddressesthatarenotreachableviatheactualpacket’spath


IETF BCPs recommended

AllnetworkoperatorsshouldperformnetworkingressfilteringasdescribedintheseBCPs:BCP-38NetworkIngressFiltering• DefeatingDenialofServiceAttackswhichemploy

IPSourceAddressSpoofing:https://tools.ietf.org/html/bcp38

BCP-84IngressFilteringforMultihomed Networks• https://tools.ietf.org/html/bcp84


More info on IETF BCPs

TestwhetheryournetworkcurrentlyfollowsBCP-38usingtoolsfromtheSpoofer Project:https://www.caida.org/projects/spoofer/

AdditionaldetailsabouthowtoimplementBCP-38:http://www.bcp38.info/index.php/Main_Page


Additional mitigations for ISPs

ISPsshouldensurethattheyhaveaDDoSdefensethatismulti-layered,anddesignedtodealwith:

• Attacksthatcansaturatetheirconnectivity• “Lowandslow”sophisticatedapplicationlayer

attacksConsiderratelimitedUDPfragments• Note:BlockingUDPfragmentsnegativelyaffectssession

initiationprotocol(SIP),theprotocolforVoiceoverIP(VoIP),andothertextandmultimediasessionslikeinstantmessaging,video,onlinegamesandotherservices


Verify your fix

Re-runthecommand:tcpdump –n host [IP]

EnsureopenSSDPisnotenabledagaininthefutureandmonitoryourinfrastructurebysubscribingtofreereportsfromShadowserver:

https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork


Additional SSDP resources

https://www.akamai.com/uk/en/multimedia/documents/state-of-the-Internet/ssdp-reflection-ddos-attacks-threat-advisory.pdfhttp://www.us-cert.gov/ncas/alerts/TA14-017Ahttp://www.kb.cert.org/vuls/id/922681http://www.upnp-hacks.org/faq.htmlhttp://community.rapid7.com/docs/DOC-2150https://threatpost.com/50-million-potentially-vulnerable-upnp-flaws-012913/77465/http://www.darkreading.com/attacks-breaches/report-iot-connected-devices-leading-to-rise-in-ssdp-based-reflection-attacks-/d/d-id/1320149http://www.christian-rossow.de/articles/Amplification_DDoS.php

Making the case for implementing mitigations such as BCP 38



Making the case for mitigations

IHelpeveryoneunderstandthelevelofeffortneededtoimprovecyberhealthintheircommunityWhyimplementthemitigationsinyourenvironment?1. ItistherightthingtodoasagoodInternet

neighbor2. Yourorganizationmaybenexttobe

attackedLet’sjointogetherandstopbadguysfromwinning!


Changing risk landscape

Increasedneedtodemonstrate“duecare”o Obtainingcyberinsuranceo Complyingwithriskframeworkstowinbusinesswith

local/nationalgovernmentsandlargecorporations

Ifwe(you!)don’tdoabetterjobofsecuringourowninfrastructureandreducingcyberrisk,governmentregulationmayforceadditionalmandatesand/orpenalties


Anticipated organizational benefits

Increasedproductivity• Fewerserviceinterruptionsandfailures

Improvednetworkperformance• Existingnetworkmore

reliableandresilient,withgreatercapacity

Improvedbrandreputation• Technicalreliabilityand

securityasellingpointtocustomers


More anticipated benefits

• Decreasedbudgetuncertaintyo FewerunanticipatedusagecostsforITo Budgetcanbeusedasplanned,e.g.- upgrading

technicalcapability/capacity,additionalpersonnel,etc.

• Systemadminsmayspendlesstimespenttryingtodealwithunexpectedproblems,whichinturnmayimprovetheirproductivityandreduceunexpectedovertime


What do you need to implement these mitigations?

Commandsandconfigurationdetailsformostimportantmitigationsarepublicallyavailable• Noadditionalsoftwaremustbepurchased• Implementingthesemitigationsdoesnotrequireany

specialknowledge,skills,orabilitiesNote:AllmitigationsshouldbecarefullyreviewedinlightofyourspecificbusinessrequirementsandinfrastructureenvironmentbeforeproceedingAllorganizationalchangemanagementprocesses,includingtesting,shouldbefollowed


How long will mitigations take?

ManuallydisablingSSDPtakesafewminutesperdevice

Systemadministratorsinsmallerorganizationsneedan1-2hoursperperimeterdevicetoinvestigate,implementandverifythebasicmitigationofusingfirewallorACLstoblockaccesstoSSDP

ISPsandlargeentitiescanautomateadministrationchangeswithconfigurationmanagement(Salt,Ansible)


Smallbusinesses:fromafewminutestolessthananhour

Largerandmorecomplexorganizations:daystoweeks

Bonus:withnorealmaintenance,therecurringcostiseffectivelyzero!

How long to implement BCP-38 network ingress filtering?

Acknowledgement CyberGreenwouldliketothanktheexpertswhomadethecreationofthisdocumentpossible:

Writtenby:- LaurinBuchanan,Applied Visions, Inc.– SecureDecisions Division

Contributed andReviewedby:- MattCarothers,CoxCommunications- Baiba Kaskina,CERT.LV- MotoKawasaki,JPCERT/CC- ArtManion,CERT/CC- Yoshinobu Matsuzaki, IIJ- JoeStSauver,Farsight Security- DavidWatson,ShadowServer Foundation

Disclaimer:CyberGreenbelievesthisguidanceandtheadvicefromourexpertsshouldbeofbenefittoanyonemitigatingariskconditions,butitisnotadvicespecifictoanyreaderornetwork.Ultimately,eachreaderisresponsibleforimplementinghisorherownnetwork remediationstrategyandweassumenoresponsibilityorliabilitytherefore.


Formoreinformationaboutriskmitigationbestpractices

pleasecontact:[email protected]


risk mitigation for open ssdp - cybergreen openssdp... · risk mitigation for open ssdp ... •...

Documents