loader gif

Hackers could exploit well-known UPnP protocol flaw to launch new, powerful DDoS attacks

Wireless Technology, Router, Internet, Network Connection Plug, Connection, Computer Network, Modem, Desk, Communications Tower, Computer Equipment, Accessibility, Home Interior, Office, Technology, Switch, Hardware Store, Illuminated, Network Server, Table, Black Color, Blue, Communication, Computer, Data, Desktop PC, Domestic Room, Equipment, Firewall, Global Communications

Researchers have detailed a proof-of-concept DDoS attack that exploits a well-known security vulnerability in the Universal Plug and Play (UPnP) networking protocol that allows attackers to bypass mitigations. UPnP network protocol is commonly used by IoT devices to find each other and communicate over a local network.

According to Imperva researchers, UPnP has raised multiple security concerns for years due to bad default settings, lack of an authentication mechanism and existing remote code execution vulnerabilities, some of which date back to 2001. However, in 2017, researchers found reflection-based DDoS attacks exploited varying protocols to magnify their impact.

“For bad actors, amplification vectors offer a shortcut to launching bandwidth-heavy assaults without the need for equally large botnet resources,” researchers wrote. “From a mitigation point of view, however, they represent a diminished threat as, by now, most mitigation services have scaled to a point where attack bandwidth is no longer a chief concern—or any concern at all.”

The attack vector starts by locating an exploitable UPnP router by using a wide-scale scan with SSDP requests or using Shodan search engine to look for the "rootDesc.xml" file. After the XML file is acquired, the attacker then accesses it via HTTP to change the ”Location” IP. The port forwarding rules are then modified accordingly before launching a port-obfuscated DNS amplification.

A DNS request is then issued to the device to eventually launch a DNS amplification DDoS attack with evasive ports.

"These payloads would originate from irregular source ports, enabling them to bypass commonplace scrubbing directives that identify amplification payloads by looking for source port data for blacklisting," researchers note.

In March, GitHub suffered a massive DDoS attack, measuring 1.3 Tbps of sustained traffic for eight minutes, where the attacker employed the "Memcached" amplification technique for exploitation, they pointed out.

"It’s our hope that these findings will help the mitigation industry prepare itself for the above-described evasion tactics before they become more common," Imperva said.

Considering the exploitation method which is based on a well-known vulnerability and simple mitigation evasive methods used for the attack, this new technique will be on the rise and predicted to be popular in the near future as other PnP related vulnerabilities.

loader gif