SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.
SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt
This event is generated when an external Simple Service Discovery Protocol (SSDP) M-Search with an ST field of "ssdp:all" is on the internal network environment. This detection notifies of a known option uses in distributed denial-of-service attacks and warns that this behavior from outside of the network is risky.
Attempted Denial of Service
SSDP has two generic Search Target (ST) types used in conjuction with the M-SEARCH query, upnp:rootdevice, and ssdp:all. The latter option searches for all devices running UPnP and elicits large responses for these.
Ease of Attack:
Simple. Techniques are available to execute this type of attack.
What To Look For
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2013-5211The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
||Ease of Access||