Internet Accessible SSDP Service

Description

Universal Plug and Play (UPnP) is a technology pioneered and developed by the Microsoft Corporation. UPnP was developed with the ability to reconfigure the operating system in response to the detection of new peripheral hardware that has been made available via a communications network. UPnP primary objective is to enable devices to connect and to exchange data so that devices can use their respective services. UPnP provides a specification called Simple Service Discovery Protocol (SSDP) that allows devices to dynamically discover the services offered by each other. SSDP uses the text based Hypertext Transfer Protocol (HTTP) over the User Datagram Protocol (UDP) for both multicast and unicast data transmissions.

SSDP listens on port 1900/UDP and port 5000/TCP.

Windows XP Service Pack 2, relies on port 2869/TCP for SSDP event notification.

The Plex Media Server is a personal media library and streaming solution, that stores and transmits content from a central location to other media devices on which Plex client software has been installed. The system supports various media file types such as MP4, MKV, MOV, DIVX for moves, MP3, M4A, FLAC, WMA for music and JPG, PNG, RAW and TBN for photos. The system can be installed on Windows, Linux and Mac computers and is compatible with other media streaming systems, such as NAVIDIA SHIELD, Netgear Nightawk X10 Router together with Network Attached Storage (NAS) Devices such as Drobo, Netgear and Synology. On start-up, the system will initiate a local scan, via SSDP, for other compatible devices. In the event of discovering a local router that has SSDP support enabled, the Plex Media Server will add a Network Address Translation (NAT) forwarding rule to the router, exposing the Plex Media Server UPnP enabled service registration responder to the internet.

PMSSDP listens on port 32414/UDP and port 32410/UDP.

Problem

An Internet Accessible SSDP Service can be abused for a Distributed Denial of Service (DDoS) Reflection/Amplification attack against third parties.

SSDP has a minimum Bandwidth Amplification Factor (BAF) of 2.3:1, SSDP maximum BAF is determined by the response to an SSDP M-SEARCH request. SSDP maximum BAF has been recorded at 30.8:1.

To differentiate the Plex Media Server attack vector from the generic SSDP (DDoS) Reflection/Amplification attack vector, it has been designated as the Plex Media SSDP (PMSSDP) (DDoS) Reflection/Amplification attack. PMSSDP DDoS attack traffic consists of SSDP HTTPU (HTTP/UDP) packets sourced from port 32414/UDP.

PMSSDP has a Bandwidth Amplification Factor (BAF) of 4.68:1

The Simple Service Discovery Protocol (SSDP)

A brief introduction to UPnP and SSDP.

Universal Plug and Play (UPnP)

UPnP defines an architecture for pervasive peer-to-peer network connectivity of intelligent appliances, wireless devices and computers. In UPnP, a device can dynamically join a network, obtain an IP address, convey its capabilities upon request, and learn about the presence and capabilities of other devices. Finally, a device can leave a network smoothly and automatically without leaving any unwanted state behind. UPnP leverages TCP/IP and the Web technologies, including IP, TCP UDP, HTTP and XML, to enable seamless proximity networking in addition to control and data transfer among devices in a network. Of particular concern, are UPnP enabled applications that are able to control other UPnP enabled devices such as firewalls or routers automatically and without authentication. A number of applications depend on UPnP to automatically open ports on routers or to automatically set parameters on compatible devices. UPnP uses SSDP to announce and find devices.

Control points and root devices

In the UPnP architecture, two general classifications of devices are defined, devices are either control points which uses SSDP services or root devices which offers one or more SSDP services. When a control point is searching for a service on a network, it will send out a multicast search request via the reserved Class D IPv4 address 239.255.255.250:1900 looking for root devices to announce themselves. Any root device that receives the multicast search request are required to respond with a unicast response to the source IP address and port that sent the request to the multicast address. Control points can also send a unicast message to a known IP address listening on port 1900/UDP to verify the existence of an UPnP device and service at that IP address. After a Control point has discovered a device and retrieved a description of the device and its services, the Control points will poll for service state variables and receive events from services. Events are notifications of one or more changes in state variables exposed by a service.

Multicast and Unicast Communication

Multicast is group communication where data transmission is addressed to a group of destination nodes in a network simultaneously. The Internet Assigned Numbers Authority (IANA) has reserved the Class D IPv4 address 239.255.255.250 and port 1900/UDP for SSDP multicast data transmission. When a device is added to a network, the device will advertises its services to control points in the network by sending a multicast discovery message to the Class D IPv4 address 239.255.255.250:1900. Control points listen to this IPv4 address and port to detect when new devices and services are available on the network. Multicast Applications must use UDP since TCP supports only unicast data transmission. For multicast data transmission, SSDP uses HTTP over UDP, referred to as HTTPMU (HTTP/Multicast/UDP). Unicast is an one to one transmission from one node in the network to another node. For unicast data transmission, SSDP uses HTTP over UDP, referred to as HTTPU (HTTP/UDP).

SSDP Message Categories

SSDP has two (2) message categories:

1. Advertisement.
2. Discovery.

a. SSDP Advertisement

SSDP is a network protocol, based on the Internet Protocol (IP) suite, used for the advertisement and discovery of embedded devices and network services. When a new device is added to a network, it will first try to obtain an IP address, either through a Dynamic Host Configuration Protocol (DHCP) or via AutoIP. Once the device has obtained an IP address, it will then advertise its presence to the network through SSDP advertisement. These are multicast UDP packets sent via the reserved Class D IPv4 address of 239.255.255.250:1900 to all nodes on the network. On a network, an existing root device will send an advertisement message, when it wants to make other nodes aware of the status of each services that it is offering to share.

b. SSDP Discovery

SSDP Discovery consist of two (2) message types.

1. Request Message.
2. Response Message.

b.1. Request Message

When a control point on a network requires a particular service, it will transmits a request message with method M-SEARCH onto the network specifying the service or services it requires.

b.2. Response Message

On receiving a request message with method M-SEARCH, a root device that has the service or services specified in the request message, will transmit a response message.

M-SEARCH - Method for search requests

Control points on a network regularly and actively search for devices. This is accomplished through a multicast search request with method M-SEARCH. The "M-" prefix indicates the request is a "mandatory" request. The M-SEARCH messages, may include additional header fields that allow for a more specific search by device type. Any device that fit the description replies via UDP. Control points that know the IP address of a specific device may send a unicast search request with method M-SEARCH.

Search request with method M-SEARCH - Note: MAN: "ssdp:discover" and ST: ssdp:all
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
MAN: "ssdp:discover"
MX: 1 (seconds to delay response)
ST: ssdp:all
USER-AGENT: OS/version UPnP/1.1 product/version

The "M-" prefix indicates the request is a "mandatory" request within the HTTP Extension Framework.
The field value of the MAN header defines the scope of the extension.  It must be "ssdp:discover".
The field value of ST (Search Target) is ssdp:all - Search for all devices and services.

An active UPnP root device will respond to an unicast search requests delivered over the internet.

When an active UPnP root device responds to a multicast or unicast search request from a control point, SSDP uses text based HTTP over UDP (HTTPU).

Response from active UPnP root device to search request.
HTTP/1.1 200 OK
CACHE-CONTROL: max-age= 60 (seconds until advertisement expires)
EXIT:
LOCATION: http://xxx.xxx.xxx.xxx:5200/Printer.xml
SERVER: Network Printer Server UPnP/1.0 OS 1.29.00.44 07-29-2020
ST: upnp:rootdevice
USN: uuid:Samsung-Printer-1_0-xxxxxxxxxxx::upnp:rootdevice

There are two (2) "generic" ST (Search Target) query types

ST: (Search Target)
ssdp:all: search for all UPnP devices and services
upng:rootdevice: search for root devices

SSDP does not check or verify that the control point that sent the multicast or unicast search request with method M-SEARCH, is in the same network as the active UPnP root device.

IP packets with multicast addresses (Class D IPv4 addresses) as source or destination will not be routed through the internet, however IP packets with unicast addresses will.

An active UPnP root device will respond to an unicast search requests delivered over the internet. If the inbound port 1900/UDP is not blocked on the network perimeter firewall, all active UPnP root devices in the network will respond to an unicast search requests with method M-SEARCH.

SSDP Diffraction Attack

An SSDP diffraction attack is an attack that utilise SSDP traffic with an ephemeral source and destination port. In 2018, following an increase in SSDP diffraction attacks, it was discovered that this type of attack was caused by a vulnerability or bug in the Portable UPnP SDK (aka libupnp library) that is an open source project that has its roots in the Linux SDK for UPnP Devices and software from Intel (Intel Tools for UPnP Technologies and later developer Tools for UPnP Technologies). The Portable UPnP SDK (libupnp library) is deployed in broadband Internet access routers and other devices, including Customer Premises Equipment (CPE), to implement UPnP. The Portable UPnP SDK (aka libupnp library) is used to play media files or connect to other devices within a network. The vulnerability or bug in the Portable UPnP SDK (aka libupnp library), first reported on the 29th Jan 2013, was addressed in Portable UPnP SDK (aka libupnp library) Version 1.6.18. An SSDP DDoS Reflection/Amplification attack that originated from port 1900/UDP is relatively easy to mitigate however an SSDP attack that originated from a random source port is more difficult to mitigate.

Customer Premises Equipment (CPE)

Customer Premises Equipment (CPE), also known as Customer Provided Equipment is telecommunications equipment sold or leased by the carrier to the customer, that is installed at the customer's location or in his premises.

CPE perform two (2) core functions in the context of telecommunications.

1. Terminating the wide area network (WAN) connection from the access network (demarcation point).
2. Distributing the connection throughout the Customer's premises via a Local Area Network (LAN).

The demarcation point is the physical point where the access network ends and the home network begins.

CPE consists of Channel Service Unit/Data Service Units (CSU/DSU), routers, modems, adapters and terminals. A large number of CPE use the Portable UPnP SDK Library (aka libnpnp library) while other CPE, such as broadband Internet access routers, may have port 1900/UDP enabled by default.

Verification

To establish if a host has an Internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.

Nmap - (Network Mapper) - (https://nmap.org)

To confirm an Internet accessible SSDP service, the 'Nmap' open source network scanner utility program can be utilised.

Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.

Insert the IP address of the host you wish to check for an Internet accessible SSDP service when invoking the 'Nmap' open source network scanner utility program together with the options as included in the following example.

$ sudo nmap -sV -sU -p 1900 --script=upnp-info xxx.xxx.xxx.xxx

An Internet accessible SSDP service listening on port 1900/UDP will return information similar to that as shown below:

$ sudo nmap -sV -sU -p 1900 --script=upnp-info xxx.xxx.xxx.xxx
Starting Nmap 7.01 ( https://nmap.org ) at 2021-06-11 16:35 GMT
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.0072s latency).

PORT     STATE SERVICE  VERSION
1900/udp open	upnp
| upnp-info:
| xxx.xxx.xxx.xxx
|	Server: Custom/1.0 UPnP/1.0 Proc/Ver
|	Location: http://192.168.1.254:5431/dyndev/uuid:ec43f555-fa75-74fa-45f6-43ec43ec434000

Service detection performed.  Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds

Options
sudo		:Elevated privileges are required to access raw sockets
-sV		:Probe open ports to determine service/version info.
-sU  		:UDP Scan.
-p		:Only scan specified port.
 upnp-info	:Nmap script that attempts to extract system information from the UPnP service.

An Internet accessible Plex service listening on port 32414/UDP or port 32410/UDP will return information similar to that as shown below:

$ sudo nmap -sV -sU -p 32414 --script=upnp-info xxx.xxx.xxx.xxx
Starting Nmap 7.01 ( https://nmap.org ) at 2021-06-11 12:26 IST
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.0091s latency).

PORT      STATE SERVICE  VERSION
32414/udp open	 unknown

		
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

Options
sudo		:Elevated privileges are required to access raw sockets
-sV		:Probe open ports to determine service/version info.
-sU  		:UDP Scan.
-p		:Only scan specified port.
 upnp-info	:Nmap script that attempts to extract system information from the UPnP service.

Solution

If the SSDP Service is not required, disable it or deinstall it.

If the SSDP Service is required, restrict access to trusted clients or specific IP addresses by blocking incoming connections to port 1900/UDP on the firewall.

Proprietary server management technology which provides out-of-band management facilities may have UPnP enabled by default. If the server is internet accessible, constituents are advised to consult with the vendor and to close port 1900/UDP or restrict access to it.

Many vendors ship devices with UPnP enabled by default. If a device is internet accessible, constituents are advised to consult with the vendor and to close port 1900/UDP or restrict access to it.

If a broadband internet access router (for home use) has UPnP enabled, it recommended to close port 1900/UDP or restrict access to it.

For legacy CPE, that is internet accessible, ensure the Portable UPnP SDK (aka libupnp library) Version is 1.6.18 or the latest version available. See Additional Information (below) for link to the latest version of libupnp.

For Plex Media Server streaming solution service (PMSSDP), apply the latest hot-fix release patch from the Plex Media Company. The hot-fix release patch limits the Plex Media Server to respond to UDP requests from the local area network only and not from the internet. See Additional Information (below) for link to www.plex.tv.

If the Plex Media Server streaming solution service (PMSSDP) is required, restrict access to trusted clients or specific IP addresses, by blocking incoming connections to port 32414/UDP and port 32410/UDP on the firewall.

Supplementary Information

Ingress & Egress Filtering

Ingress filtering - is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network.
Egress filtering - limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network.

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link - Ingress & Engress Filtering

UDP Based Denial-of-Service (DoS) Attack

The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a number of properties that makes it susceptible to exploitation for DoS attacks against third parties. Additional information on the components and techniques deployed in an UDP based DoS attack can be found at the following link - UDP Based Denial-of-Service (DoS) Attack

Additional Information

IETF - Simple Service Discovery Protocol/1.0 Operating without an Arbiter
UPnP Forum - UPnP Device Architecture 1.1
UPnP Forum - UPnP Device Architecture 2.0
StormWall - SSDP (Simple Service Discovery Protocol)
Discovering What's Out There by William Boles.
UPnP With a Holiday Cheer
Imperva - New DDoS Attack Method Demands a Fresh Approach to Amplification Assault Mitigation
Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS - The Cloudflare Blog
A New Twist in SSDP Attacks - Report from Arbour Networks, NETSCOUT
APNIC - DDoS Defences in the Terabit Era: SSDP, Memcached
SSDP Reflection DDoS Attacks - Akamai
Radware SSDP DDoS Attack Mitigation
Portable UPnP SDK - Files - Download Latest Version of libupnp
Plex TV