DDoS Attack Using SSDP

stevechege — Tue, 12 Mar 2019 04:59:48 GMT

For the last one month we have been hit by DDOS attacks that seem to be using SSDP (Port 1900 UPD). It’s just happed today and it lasted 15 mins…during which time our internet connection (Comcast Business line. 100/20 MB) came to a crawl. No one could access anything on the net.

How can I mitigate this attacks…. I have configured the ASA 5510 like this

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit name OUTSIDE_ATTACK attack action alarm drop

ip audit name OUTSIDE_INFO info action alarm

ip audit name INSIDE_ATTACK attack action alarm drop reset

ip audit name INSIDE_INFO info action alarm

ip audit interface outside OUTSIDE_INFO

ip audit interface outside OUTSIDE_ATTACK

ip audit interface inside INSIDE_INFO

ip audit interface inside INSIDE_ATTACK

ip audit signature 1002 disable

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2004 disable

ip audit signature 2005 disable

ip audit signature 6051 disable

ip audit signature 6053 disable

Any other tricks. More more information attacked

ATTACK Partial log.

Here is a sample of some logs I captured.

51: 11:08:44.495228 183.203.151.166.1900 > 50.XXX.XXX.XXX.80: udp 320

52: 11:08:44.495244 27.203.166.105.1900 > 50.XXX.XXX.XXX.80: udp 326

53: 11:08:44.498158 111.39.184.120.1900 > 50.XXX.XXX.XXX.80: udp 288

54: 11:08:44.501896 98.228.91.18.1900 > 50.XXX.XXX.XXX.80: udp 245

55: 11:08:44.501927 221.210.161.54.1900 > 50.XXX.XXX.XXX.80: udp 268

56: 11:08:44.502690 81.167.61.109.1900 > 50.XXX.XXX.XXX.80: udp 286

57: 11:08:44.503468 96.35.27.211.1900 > 50.XXX.XXX.XXX.80: udp 247

58: 11:08:44.503498 111.39.184.120.1900 > 50.XXX.XXX.XXX.80: udp 268

59: 11:08:44.503529 76.16.192.25.1900 > 50.XXX.XXX.XXX.80: udp 307

60: 11:08:44.504414 46.19.66.66.1900 > 50.XXX.XXX.XXX.80: udp 307

61: 11:08:44.504444 76.173.58.15.1900 > 50.XXX.XXX.XXX.80: udp 284

62: 11:08:44.505878 2.49.240.153.1900 > 50.XXX.XXX.XXX.80: udp 317

63: 11:08:44.505924 60.208.123.210.1900 > 50.XXX.XXX.XXX.80: udp 314

64: 11:08:44.506748 70.95.161.23.1900 > 50.XXX.XXX.XXX.80: udp 245

65: 11:08:44.507694 121.206.190.17.1900 > 50.XXX.XXX.XXX.80: udp 268

66: 11:08:44.507725 111.39.184.120.1900 > 50.XXX.XXX.XXX.80: udp 242

67: 11:08:44.507740 121.206.190.17.1900 > 50.XXX.XXX.XXX.80: udp 290

68: 11:08:44.507770 192.251.249.83.1900 > 50.XXX.XXX.XXX.80: udp 302

69: 11:08:44.508488 58.210.95.138.1900 > 50.XXX.XXX.XXX.80: udp 326

70: 11:08:44.508518 58.210.95.138.1900 > 50.XXX.XXX.XXX.80: udp 314

71: 11:08:44.509342 71.95.40.47.1900 > 50.XXX.XXX.XXX.80: udp 305

72: 11:08:44.509418 121.206.190.17.1900 > 50.XXX.XXX.XXX.80: udp 326

73: 11:08:44.509434 70.95.161.23.1900 > 50.XXX.XXX.XXX.80: udp 323

74: 11:08:44.509449 71.95.40.47.1900 > 50.XXX.XXX.XXX.80: udp 307

75: 11:08:44.509464 81.200.247.20.1900 > 50.XXX.XXX.XXX.80: udp 291

76: 11:08:44.510898 59.45.34.2.1900 > 50.XXX.XXX.XXX.80: udp 268

77: 11:08:44.510929 84.208.252.214.1900 > 50.XXX.XXX.XXX.80: udp 234

78: 11:08:44.510959 76.173.58.15.1900 > 50.XXX.XXX.XXX.80: udp 229

79: 11:08:44.510975 46.19.66.66.1900 > 50.XXX.XXX.XXX.80: udp 305

80: 11:08:44.511097 186.68.236.141.1900 > 50.XXX.XXX.XXX.80: udp 300

81: 11:08:44.511966 74.58.171.63.1900 > 50.XXX.XXX.XXX.80: udp 307

82: 11:08:44.511997 111.39.184.120.1900 > 50.XXX.XXX.XXX.80: udp 290

83: 11:08:44.512012 123.55.81.145.1900 > 50.XXX.XXX.XXX.80: udp 326

84: 11:08:44.512043 1.189.11.236.1900 > 50.XXX.XXX.XXX.80: udp 322

85: 11:08:44.512851 110.53.148.27.1900 > 50.XXX.XXX.XXX.80: udp 314

86: 11:08:44.512897 110.53.148.27.1900 > 50.XXX.XXX.XXX.80: udp 242

87: 11:08:44.512912 221.215.155.162.1900 > 50.XXX.XXX.XXX.80: udp 268

Hi,I think the most effective

Vibhor Amrodia — Tue, 28 Oct 2014 02:57:01 GMT

Hi,

I think the most effective way to prevent this attack would be to block this Destination UDP port on the ISP end itself if this is recurring.

Also , on the ASA device , we can set the per client max limit for this destination server , it should also help you on this issue.

As the destination IP's are different , SHUN might not be that effective.

For more information:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/protect.html#wp1080691

Thanks and Regards,

Vibhor Amrodia

topic DDoS Attack Using SSDP in Network Security

DDoS Attack Using SSDP

Hi,I think the most effective