This article is more than 1 year old

UPnP joins the 'just turn it off on consumer devices, already' club

Before it amplifies DDoS attacks

Universal Plug 'n' Play, that eternal feast of the black-hat, has been identified as helping to amplify denial-of-service attacks.

Researchers at Imperva looked into misbehaving UPnP implementations after spotting odd attack traffic while analysing a Simple Service Discovery Protocol (SSDP, an Internet proposal absorbed into UPnP) amplification attack during April 2018.

A skull atop money

It's 2017, and UPnP is helping black-hats run banking malware


The company's Avishay Zawoznik, Johnathan Azaria, and Igal Zeifman wrote that while some of the attack packets came from familiar UDP ports, others were randomised.

In trying to replicate the behaviour, the three researchers concluded that attackers were using UPnP on badly-secured devices like routers (turn it off, people), and tried to replicate the attack.

It's not particularly difficult, particularly with Shodan to help. The required steps are:

  • Discover targets on Shodan by searching for the rootDesc.xml file (Imperva found 1.3 million devices);
  • Use HTTP to access rootDesc.xml;
  • Modify the victim's port forwarding rules (the researchers noted that this isn't supposed to work, since port forwarding should be between internal and external addresses, but “few routers actually bother to verify that a provided 'internal IP' is actually internal, and [they abide] by all forwarding rules as a result”.
  • Launch the attack.

That means an attacker can create a port forwarding rule that spoofs a victim's IP address – so a bunch of ill-secured routers can be sent a DNS request which they'll try to return to the victim, in the classic redirection DDoS attack.

The port forwarding lets an attacker use “evasive ports”, “enabling them to bypass commonplace scrubbing directives that identify amplification payloads by looking for source port data for blacklisting”, the post explained.

The researchers noted that this style of attack isn't limited to reflecting DNS queries – late in April 2018, they observed a low-volume attack (probably probing) using Network Time Protocol responses over irregular ports.

The lesson is simple: sysadmins and home users need to block UPnP from internet-facing access; and vendors making consumer-grade devices need to make that block the default setting. ®

More about


Send us news

Other stories you might like