Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
UBNT Discovery Protocol Amplification Attack
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
A publicly access Ubiquity device exposing the UBNT Discovery Protocol can be exploited to participate in a Distributed Denial of Service (DDoS) attack.
Insight
Insight
There are reports that there are ongoing attacks against devices with UBNT Discovery Protocol reachable which either result in a loss of device management or are used as a weak DDoS amplificatior. The basic attack technique consists of an attacker sending a valid query request to a UBNT server with the source address spoofed to be the victim's address. Since UBNT Discovery Protocol uses UDP this is trivialy done. When the UBNT server sends the response, it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim (the amplification factor is around 30-35x). By leveraging a botnet to perform additional spoofed queries, an attacker can produce an overwhelming amount of traffic with little effort.
Detection Method
Detection Method
Checks if the UBNT Discovery Protocol is reachable.
Solution
Solution
Ubiquiti recommends to block port 10001/udp at the perimeter.
References
- https://twitter.com/troutman/status/1090212243197870081
- https://community.ubnt.com/t5/airMAX-General-Discussion/Possible-Explo
- https://community.ubnt.com/t5/airMAX-General-Discussion/airOS-airMAX-a
- https://www.us-cert.gov/ncas/alerts/TA14-017A
- https://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposure