Packet Design’s use by many of the world’s largest service providers and network operators gives us the opportunity to see how they operate. We get to witness the sort of issues they deal with during their everyday operations. We thought we would share some of these stories periodically through Life in the Control Plane blog series. After all, life in the control plane is never dull!
What are DDoS Attacks?
A Distributed Denial of Service attack is an attack whose intention is to make a service unavailable by flooding it continuously with communication requests from numerous distributed devices, often spread across the world. Ever since the first attack in 1996 which sent around 150 connection requests to the recent one that sent 1Tbps of traffic, DDoS attacks have become a major problem in the modern-day Internet.
Reflection and Amplification is one class of DDoS attack and is most commonly used with the DNS system. In a reflection attack, a target’s IP address is spoofed and a request is sent to a third-party service. The third-party service then responds to the target (based on the spoofed IP address) leading to a traffic pile up on the target. Reflector attacks are even more dangerous when amplified. When the response to the spoofed request is much larger than the original packet size, it is referred to as an Amplified attack.
Attackers using DDoS are constantly looking for new ways to evolve their attacks. Currently, a popular form of Reflection and Amplification attack uses the Simple Service Discovery Protocol. SSDP is the basis of the Universal Plug and Play (UPnP) protocols used in home and small office devices and uses the UDP 1900 port. Currently there are about ten million publicly-reachable SSDP devices that can be exploited for DDoS attacks. These devices are typically updated infrequently and lack enterprise-class protection, leaving them more accessible for use in amplification attacks.
Detecting SSDP DDoS Attacks
Packet Design’s Explorer products monitor, analyze, and simulate traffic volumes and paths in an IP network. This is done by combining routing analytics (Route Explorer) with flow data exported from routers (Traffic Explorer) – something we refer to as Route-Flow Fusion – to calculate and display the source, destination, and path across the network for traffic flows. By defining a group specifically for SSDP traffic, network admins can view and analyze the behavior of SSDP traffic in real time or over a past time period. They can view the attack traffic on a network map from source to destination, determine the volumetric size of the attack, and immediately understand its impact on network links.
By providing this path visibility, the Explorer Suite complements traditional DDoS mitigation products. In addition, it provides interactive modeling that engineers and operations teams can use to simulate attacks from multiple ingress points to understand how they would impact links.
SSDP traffic spike over a one-week monitoring period
For a technical explanation of how the Explorer Suite can be used to detect, analyze, and help mitigate the risk from DDoS attacks, please see this Technical Brief on the Packet Design web site.