UPnP Devices Targeted in DDoS Attacks

Friday, October 17, 2014 @ 04:10 PM gHale


There are distributed denial-of-service (DDoS) attacks launching via Universal Plug and Play (UPnP) devices, researchers said.

There has been a spike in reflection and amplification DDoS attacks since July that abuse communications protocols that come enabled on UPnP devices such as routers, webcams and printers, said Akamai Technologies’ Prolexic Security Engineering & Response Team (PLXsert).

RELATED STORIES
Mitigations for DDoS Toolkit Attacks
New Wave DDoS Attacks
Oil & Gas Firm Attacked
Middle East Petrochem Firms Targeted

The Simple Service Discovery Protocol (SSDP) is part of the UPnP protocol standard and comes enabled on millions of devices to allow them to discover each other on the network, establish communication and coordinate activities. According to the advisory, attackers have been leveraging SSDP to launch attacks that amplify and reflect traffic to their targets.

The potential of the tactic is significant as Prolexic found 4.1 million Internet-facing UPnP devices that could end up used in this type of reflection DDoS attack.

“The rise of reflection attacks involving UPnP devices in an example of how fluid and dynamic the DDoS crime ecosystem can be in identifying, developing and incorporating new resources and attack vectors into its arsenal,” the advisory said. “Further development and refinement of attack payloads and tools is likely in the near future.”

As part of its research, Prolexic also found python scripts used to scan for UPnP-enabled devices that reply to an initial discovery packet request and turn those devices into reflectors for DDoS attacks. The majority of the targets of the SSDP attacks the company detected have been in the entertainment (28.6 percent), education (21.4 percent) and payment processing (21.4 percent) sectors.

“Malicious actors are using this new attack vector to perform large-scale DDoS attacks,” said Stuart Scholly, senior vice president and general manager of the Security Business Unit at Akamai. “PLXsert began seeing attacks from UPnP devices in July, and they have become common. The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch.”

To mitigate the UPnP attacks, Akamai suggested blocking wide area network (WAN)-based UPnP requests to client devices or disallowing UPnP access from the Internet unless needed. In addition, they recommend disabling UPnP services on devices where it is not a functional requirement.



Leave a Reply

You must be logged in to post a comment.