[CERT-Bund#2015020428001622]
Dear Sir or Madam,
the Simple Service Discovery Protocol (SSDP) is a network protocol
for advertisement and discovery of network services and presence
information. SSDP is the basis of the discovery protocol of
Universal Plug and Play (UPnP). SSDP usually uses port 1900/udp.
In the past months, systems responding to SSDP requests from the
Internet have been increasingly abused for participating in
DDoS reflection/amplification attacks.
The Shadowserver 'Open SSDP Scanning Project' identifies systems
responding to SSDP requests from the Internet which can be abused
for DDoS reflection/amplification attacks attacks if no further
countermeasures have been implemented.
Shadowserver provides CERT-Bund with the test results for IP addresses
hosted in Germany for notifying the owners of the affected systems.
Futher information on the tests run by Shadowserver is available
at [2].
Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the system was tested
and responded to SSDP requests from the Internet.
We would like to ask you to check this issue and take appropriate
steps to secure the SSDP services on the affected systems or
notify your customers accordingly.
If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.
References:
[1] Wikipedia: Simple Service Discovery Protocol
<http://de.wikipedia.org/wiki/Simple_Service_Discovery_Protocol>
[2] Shadowserver: Open SSDP Scanning Project
<https://ssdpscan.shadowserver.org/>
[3] Arbor Networks: Zunahme von DDoS-Angriffen mittels SSDP
<
http://www.arbornetworks.com/news-and-events/press-releases/
recent-press-releases/5283-arbor-networks-atlas-data-shows-
reflection-ddos-attacks-continue-to-be-significant-in-q3-2014>
[4] Sucuri: Quick Analysis of a DDoS Attack Using SSDP
<
http://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-
using-ssdp.html>
[5] US-CERT: UDP-based Amplification Attacks
<https://www.us-cert.gov/ncas/alerts/TA14-017A>
This message is digitally signed using PGP.
Details on the signature key used are available on our website at:
<https://www.cert-bund.de/reports-sig>
Please note:
This is an automatically generated message.
Replying to the sender address is not possible.
In case of questions, please contact <
[email protected]>.
- -----------------------------------------------------------------------
Affected systems on your network:
Format: ASN | IP address | Timestamp (UTC) | SSDP server
24940 | 5.9.85.61 | 2015-05-27 09:20:16 | UPnP/1.0 DLNADOC/1.50 Platinum/1.0.4.11
Kind regards
Team CERT-Bund
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Federal Office for Information Security
Referat C21 - CERT-Bund
Godesberger Allee 185-189, D-53175 Bonn, Germany
biz dizi için
