Attackers are mounting distributed Denial-of-service attacks from home routers, wireless access points, cable modems, Web cams and printers by taking advantage of weaknesses in the protocol they use to announce themselves on networks, according to PLXsert.
The attacks, observed in the wild since July, have generated peak traffic of 54.35Gbps and 17.85 million packets per second, according to a threat advisory from Prolexic, which is a part of Akamai.
About 4.1 million Internet-facing devices use the universal plug-and-play protocol called Simple Service Discovery Protocol and are configured in a way that makes them vulnerable, PLXsert says. Since many of the devices are consumer-owned, they are unlikely to be patched or reconfigured, making them a continuing problem.
In fact the company predicts attackers will develop new tools that make it easier to take advantage of the vulnerable protocols and create DDoS botnets. In addition, many vendors don’t have programs for dealing with patching and managing the devices.
Because these attacks come from so many different machines located in so many different locations it is difficult to mitigate them. The advisory recommends that users block traffic on port 1900 – the port used by these protocols – that is headed for targeted devices.
The advisory recommends several steps that owners of vulnerable devices can take:
- Block requests coming from the Internet to these devices if possible.
- If use of these protocols is not required, disable it.
- Patch and update devices that must be exposed to the Internet.
- Review this note from US-CERT about this type of vulnerability.
To generate DDoS attacks, attackers discover vulnerable devices and send them crafted Simple Object Access Protocol (SOAP) packets that results in them sending response packets to targeted victim machines. SOAP is used to deliver control messages to this class of devices.