UPnP – Please Just Turn it Off

Universal Plug ‘n’ Play, a KRYPSYS favourite hot button, has recently been identified as facilitating larger denial-of-serviceattacks.

Industry researchers observed suspect traffic from UPnP implementations, while analysing a Simple Service Discovery Protocol (SSDP) amplification attack during April 2018. They spotted that while some of the attack packets were coming from familiar UDP ports, others were randomised.

In lab recreations of the behaviour, the researchers established that attackers were able to use UPnP on poorly-secured devices like routers to stage the attack and it was not particularly difficult to do.

Firstly: targets are discovered using the Shodan search engine by searching for the rootDesc.xml file. The tests showed that around 1.3 million devices could be found using this simple method.

Next: rootDesc.xml is accesses via HTTP and the targets’ port forwarding rules are modified. It was noted that this is not supposed to work, as port forwarding should be between internal and external addresses, but very few routers are able to verify that given ‘internal IP’ addresses are, indeed, internal and, therefore, comply with the forwarding rules as a result.

Then: launch the attack. The port forwarding rule essentially means that the attacker can spoof a compromised device’s IP address, such that a whole host of badly-secured routers can be sent a DNS request, which they’ll try to return to the victim. A classic redirection DDoS attack.

The port forwarding approach lets the attacker use “evasive ports”. This enables them to bypass filtering the kind of filtering that identifies amplification payloads by looking for source port data in order to blacklist the traffic.

The researchers noted that this type of attack is not limited to reflecting DNS queries. late in April. They also observed a low-volume attack, which was probably probing, using Network Time Protocol (NTP) responses over uncommon ports.

The simple lesson from this tale, is one that KRYPSYS has been vocal about for some time. When you install UPnP devices, you need to block it from Internet-facing access.  Moreover, vendors that make consumer-grade devices need to make the device block UPnP by default.

If you need help with secure configuration of network devices, please feel free to contact KRYPSYS via our website www.krypsys.com