Connect with us

Hi, what are you looking for?



Attackers Abuse UPnP Devices in DDoS Attacks, Akamai Warns

Researchers at Akamai Technologies have issued a warning about a spate of distributed denial-of-service attacks being launched via Universal Plug and Play (UPnP) devices.

Researchers at Akamai Technologies have issued a warning about a spate of distributed denial-of-service attacks being launched via Universal Plug and Play (UPnP) devices.

According to Akamai’s Prolexic Security Engineering & Response Team (PLXsert), there has been a spike in reflection and amplification distributed denial-of-service (DDoS) attacks since July that abuse communications protocols that come enabled on UPnP devices such as routers, webcams and printers.

The Simple Service Discovery Protocol (SSDP) is part of the UPnP protocol standard and comes enabled on millions of devices to allow them to discover each other on the network, establish communication and coordinate activities. According to the advisory, attackers have been leveraging SSDP to launch attacks that amplify and reflect traffic to their targets.

The potential of the tactic is significant – PLXsert found 4.1 million Internet-facing UPnP devices that could be used in this type of reflection DDoS attack.

Advertisement. Scroll to continue reading.

“The rise of reflection attacks involving UPnP devices in an example of how fluid and dynamic the DDoS crime ecosystem can be in identifying, developing and incorporating new resources and attack vectors into its arsenal,” the advisory states. “Further development and refinement of attack payloads and tools is likely in the near future.”

As part of its research, PLXsert also identified python scripts being used to scan for UPnP-enabled devices that reply to an initial discovery packet request and turn those devices into reflectors for DDoS attacks. The majority of the targets of the SSDP attacks the company detected have been in the entertainment (28.6 percent), education (21.4 percent) and payment processing (21.4 percent) sectors.

“Malicious actors are using this new attack vector to perform large-scale DDoS attacks,” said Stuart Scholly, senior vice president and general manager of the Security Business Unit at Akamai, in a statement. “PLXsert began seeing attacks from UPnP devices in July, and they have become common. The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch.”

The warning from Akamai follows research from Arbor Networks that also noted a significant jump in SSDP reflection attacks during the third quarter of the year. While only a few such attacks occurred during the second quarter of 2014, nearly 30,000 attacks with this source port were uncovered during Q3 alone, with one of these attacks reaching 124 Gbps, according to Arbor Networks.

To mitigate the UPnP attacks, Akamai recommends blocking wide area network (WAN)-based UPnP requests to client devices or disallowing UPnP access from the Internet unless needed. In addition, they recommend disabling UPnP services on devices where it is not a functional requirement.

“These attacks are an example of how fluid and dynamic the DDoS crime ecosystem can be,” explained Scholly. “Malicious actors identify, develop and incorporate new resources and attack vectors into their arsenals. It’s predictable that they will develop, refine and monetize these UPnP attack payloads and tools in the near future.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.