Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Attackers Abuse UPnP Devices in DDoS Attacks, Akamai Warns

Researchers at Akamai Technologies have issued a warning about a spate of distributed denial-of-service attacks being launched via Universal Plug and Play (UPnP) devices.

Researchers at Akamai Technologies have issued a warning about a spate of distributed denial-of-service attacks being launched via Universal Plug and Play (UPnP) devices.

According to Akamai’s Prolexic Security Engineering & Response Team (PLXsert), there has been a spike in reflection and amplification distributed denial-of-service (DDoS) attacks since July that abuse communications protocols that come enabled on UPnP devices such as routers, webcams and printers.

The Simple Service Discovery Protocol (SSDP) is part of the UPnP protocol standard and comes enabled on millions of devices to allow them to discover each other on the network, establish communication and coordinate activities. According to the advisory, attackers have been leveraging SSDP to launch attacks that amplify and reflect traffic to their targets.

The potential of the tactic is significant – PLXsert found 4.1 million Internet-facing UPnP devices that could be used in this type of reflection DDoS attack.

“The rise of reflection attacks involving UPnP devices in an example of how fluid and dynamic the DDoS crime ecosystem can be in identifying, developing and incorporating new resources and attack vectors into its arsenal,” the advisory states. “Further development and refinement of attack payloads and tools is likely in the near future.”

Advertisement. Scroll to continue reading.

As part of its research, PLXsert also identified python scripts being used to scan for UPnP-enabled devices that reply to an initial discovery packet request and turn those devices into reflectors for DDoS attacks. The majority of the targets of the SSDP attacks the company detected have been in the entertainment (28.6 percent), education (21.4 percent) and payment processing (21.4 percent) sectors.

“Malicious actors are using this new attack vector to perform large-scale DDoS attacks,” said Stuart Scholly, senior vice president and general manager of the Security Business Unit at Akamai, in a statement. “PLXsert began seeing attacks from UPnP devices in July, and they have become common. The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch.”

The warning from Akamai follows research from Arbor Networks that also noted a significant jump in SSDP reflection attacks during the third quarter of the year. While only a few such attacks occurred during the second quarter of 2014, nearly 30,000 attacks with this source port were uncovered during Q3 alone, with one of these attacks reaching 124 Gbps, according to Arbor Networks.

To mitigate the UPnP attacks, Akamai recommends blocking wide area network (WAN)-based UPnP requests to client devices or disallowing UPnP access from the Internet unless needed. In addition, they recommend disabling UPnP services on devices where it is not a functional requirement.

“These attacks are an example of how fluid and dynamic the DDoS crime ecosystem can be,” explained Scholly. “Malicious actors identify, develop and incorporate new resources and attack vectors into their arsenals. It’s predictable that they will develop, refine and monetize these UPnP attack payloads and tools in the near future.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights