@@ -314,6 +314,33 @@ void SSDP::run()
314314
315315void SSDP::ProcessData ( MSocketDevice *pSocket )
316316{
317+ QHostAddress peerAddress = pSocket->peerAddress ();
318+ quint16 peerPort = pSocket->peerPort ();
319+
320+ // Mitigate against SSDP Reflection DDOS attacks
321+ // Disallow device discovery from non-local addresses
322+ // Security Advisory (Akamai):
323+ // https://www.prolexic.com/kcresources/prolexic-threat-advisories/prolexic-threat-advisory-ssdp-reflection-ddos-attacks/ssdp-reflection-attacks-cybersecurity-locked.html
324+ // https://www.prolexic.com/knowledge-center-ddos-threat-advisory-ssdp-reflection-ddos-attacks.html
325+ //
326+ // TODO: We may want to restrict this to the same subnet as the server
327+ // for added security
328+ if (((peerAddress.protocol () == QAbstractSocket::IPv4Protocol) &&
329+ (!peerAddress.isInSubnet (QHostAddress (" 172.16.0.0" 12 ) &&
330+ !peerAddress.isInSubnet (QHostAddress (" 192.168.0.0" 16 ) &&
331+ !peerAddress.isInSubnet (QHostAddress (" 10.0.0.0" 8 ))) ||
332+ ((peerAddress.protocol () == QAbstractSocket::IPv6Protocol) &&
333+ !peerAddress.isInSubnet (pSocket->address (), 64 ))) // default subnet size is assumed to be /64
334+ {
335+ LOG (VB_GENERAL, LOG_CRIT, QString (" SSDP Request from WAN IP "
336+ " address (%1). Possible SSDP "
337+ " Reflection attempt. Ignoring as "
338+ " security risk."
339+ .arg (peerAddress.toString ()));
340+ pSocket->readAll (); // Discard the data in the socket buffer
341+ return ;
342+ }
343+
317344 QByteArray buffer;
318345 long nBytes = 0 ;
319346 int retries = 0 ;
@@ -365,9 +392,6 @@ void SSDP::ProcessData( MSocketDevice *pSocket )
365392 if (buffer.isEmpty ())
366393 continue ;
367394
368- QHostAddress peerAddress = pSocket->peerAddress ();
369- quint16 peerPort = pSocket->peerPort ();
370-
371395 // ------------------------------------------------------------------
372396 QString str = QString (buffer.constData ());
373397 QStringList lines = str.split (" \r\n "
0 commit comments