Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS

A recent unusual SSDP amplification attack was recorded by Cloudflare, crossing the symbolic threshold of 100 Gbps. The attack utilized 930k reflector servers across the globe and lasted for 38 minutes. The reflector IP distribution across ASNs followed the world's largest residential ISPs. SSDP protocol does not check whether the querying party is in the same network as the device, making it vulnerable to UDP amplification attacks with a misconfigured firewall. The real damage is done by the ssdp:all ST type, which can trigger multiple response packets. IP spoofing is the final step for the attack, and the most unprotected routers were from China, Russia, and Argentina. Cloudflare customers are protected from SSDP and other L3 amplification attacks due to their anycast infrastructure.