A Wide Network Scanning for Discovery of UDP-Based Reflectors in the Nordic Countries.

Distributed Reflective Denial of Service (DRDoS) attacks exploit Internet facing devices with the purpose to involve them in DoS incidents. In turn, these devices unwittingly amplify and redirect the attack traffic towards the victim. As a result, this traffic causes the extortion of the target's network bandwidth and computation resources. The current work evaluates the amplification and reflective potentials of four UDP-based protocols, which are constantly reported as facilitators to DoS attacks. These are Simple Service Discovery Protocol (SSDP), Simple Network Management Protocol (SNMP), Constrained Application Protocol (CoAP) and Web Services Dynamic Discovery (WSD). Specifically, we conduct a countrywide network scanning across the four main Nordic countries, i.e., Denmark, Finland, Norway and Sweden, and enumerate the devices that respond to any of our probes and hence they can be exploited in DoS attacks. For each of the discovered devices, we assess its amplification capabilities in terms of Bandwidth Amplification Factor (BAF) and Packet Amplification Factor (PAF) that can contribute to a DoS incident. The outcomes show that from the four examined protocols, SSDP and SNMP are the most beneficial protocols from an attacker's perspective, as a multitudinous group of reflectors is identified in each of the considered countries. Even worst, a significant portion of these devices produced a BAF over 30, a BAF that can multiply significantly the attack traffic stemming from the attacker's side and hence causes a devastating impact on the victim's infrastructure.