Security Experts:

Attackers Abuse UPnP Devices in DDoS Attacks, Akamai Warns

Researchers at Akamai Technologies have issued a warning about a spate of distributed denial-of-service attacks being launched via Universal Plug and Play (UPnP) devices.

According to Akamai's Prolexic Security Engineering & Response Team (PLXsert), there has been a spike in reflection and amplification distributed denial-of-service (DDoS) attacks since July that abuse communications protocols that come enabled on UPnP devices such as routers, webcams and printers.

The Simple Service Discovery Protocol (SSDP) is part of the UPnP protocol standard and comes enabled on millions of devices to allow them to discover each other on the network, establish communication and coordinate activities. According to the advisory, attackers have been leveraging SSDP to launch attacks that amplify and reflect traffic to their targets.

The potential of the tactic is significant - PLXsert found 4.1 million Internet-facing UPnP devices that could be used in this type of reflection DDoS attack.

"The rise of reflection attacks involving UPnP devices in an example of how fluid and dynamic the DDoS crime ecosystem can be in identifying, developing and incorporating new resources and attack vectors into its arsenal," the advisory states. "Further development and refinement of attack payloads and tools is likely in the near future."

As part of its research, PLXsert also identified python scripts being used to scan for UPnP-enabled devices that reply to an initial discovery packet request and turn those devices into reflectors for DDoS attacks. The majority of the targets of the SSDP attacks the company detected have been in the entertainment (28.6 percent), education (21.4 percent) and payment processing (21.4 percent) sectors.

"Malicious actors are using this new attack vector to perform large-scale DDoS attacks," said Stuart Scholly, senior vice president and general manager of the Security Business Unit at Akamai, in a statement. "PLXsert began seeing attacks from UPnP devices in July, and they have become common. The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch."

The warning from Akamai follows research from Arbor Networks that also noted a significant jump in SSDP reflection attacks during the third quarter of the year. While only a few such attacks occurred during the second quarter of 2014, nearly 30,000 attacks with this source port were uncovered during Q3 alone, with one of these attacks reaching 124 Gbps, according to Arbor Networks.

To mitigate the UPnP attacks, Akamai recommends blocking wide area network (WAN)-based UPnP requests to client devices or disallowing UPnP access from the Internet unless needed. In addition, they recommend disabling UPnP services on devices where it is not a functional requirement.

"These attacks are an example of how fluid and dynamic the DDoS crime ecosystem can be," explained Scholly. "Malicious actors identify, develop and incorporate new resources and attack vectors into their arsenals. It’s predictable that they will develop, refine and monetize these UPnP attack payloads and tools in the near future."

view counter