[nsp-sec] SSDP src port 1900 dst port 80 DDoS

Schiel, John John.Schiel at twtelecom.com
Wed Sep 24 20:56:57 EDT 2014 

Hello,

        I've been asked to post here to see if there are others here that are seeing the same source IPs for a SSDP UDP source port 1900 dest port 80 DDoS attack. Our web page was DDoSed earlier this afternoon and I have a list of ~9700 IPs from CN, JP, PA, US, etc with avg packet sizes of ~300.

        I'm attaching a text file of the different IPs. Can some of you take a look and let me know if you are seeing these kinds of attacks from the same sources? Note: file is a compressed notepad text file.

        I took some pcaps of the attack as it is going on and right now I'm seeing traffic from JP. What is odd is that in the UDP  datagram has a RFC 1918 address in the "LOCATION:" portion of the segment and the URL for "LOCATION:" is all the same.

HTTP/1.1 200 OK
CACHE-CONTROL: max-age=1800
DATE: Thu, 25 Sep 2014 00:41:09 GMT
EXT:
LOCATION: http://192.168.24.1:49152/gatedesc.xml
Server: OS/0.0 UPnP/1.0 UPnP-Device-Host/1.0
ST: urn:schemas-upnp-org:device:WANConnectionDevice:1
USN: uuid:75802409-bccb-40e7-8e6c-fa095ecce13e::urn:schemas-upnp-org:device:WANConnectionDevice:1

        Does any of this look familiar and is there a known attack vector that anyone knows about?

Regards,

John A Schiel
Security Architect
Ofc. 720-387-3382
tw telecom inc.
10475 Park Meadows Drive
Littleton, Colorado 80124




-------------



The content contained in this electronic message is not intended to constitute formation of a contract binding tw telecom. tw telecom will be contractually bound only upon execution, by an authorized officer, of a contract including agreed terms and conditions or by express application of its tariffs. This message is intended only for the use of the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: source-ip-092414.zip
Type: application/x-zip-compressed
Size: 28795 bytes
Desc: source-ip-092414.zip
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20140925/3d1436c9/attachment-0001.bin>

More information about the nsp-security mailing list