I'm implementing a device that ought to respond to SSDP M-SEARCH queries.
I'm a device vendor and I don't have control where these devices will be deployed.
There's a known DDoS attack that uses SSDP search amplification, that is attacker sends search requests from a fake address and poorly coded SSDP server responds to that fake address. Fake address ends up hammered.
What should I do to prevent my device from being used in such an attack?
- Only set TTL=2 and rely on routers to drop the packets
- Only respond to requests from own subnet
- Add configuration option for valid query origin subnets
- Guess what IP addresses are "local" and "global"
- Add a response throttle, hope for the best
- Your suggestions?
Wrt 1. TTL ought to configurable per SSDP spec; Even if it's quite low responses still leak out of local network. If there's a bridged VPN on the network, responses leak out quite far.
Wrt 2. I can imagine corporate networks where multiple subnets are reachable (e.g. one subnet for wireless clients, another for desktops, yet another for servers) and thus my device must be searchable across subnets (though subject to TTL per spec).
Wrt 3. Configuration and maintenance hassle.
Wrt 4. Is there a reliable way to do that? What about IPv6? What about networks that have e.g. /28 slice of global addresses?
Wrt 5. A trickle from a myriad devices still amounts to a torrent...
Ref: https://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-using-ssdp.html
