Security Experts:

Connect with us

Hi, what are you looking for?



Attackers Abuse UPnP Devices in DDoS Attacks, Akamai Warns

Researchers at Akamai Technologies have issued a warning about a spate of distributed denial-of-service attacks being launched via Universal Plug and Play (UPnP) devices.

Researchers at Akamai Technologies have issued a warning about a spate of distributed denial-of-service attacks being launched via Universal Plug and Play (UPnP) devices.

According to Akamai’s Prolexic Security Engineering & Response Team (PLXsert), there has been a spike in reflection and amplification distributed denial-of-service (DDoS) attacks since July that abuse communications protocols that come enabled on UPnP devices such as routers, webcams and printers.

The Simple Service Discovery Protocol (SSDP) is part of the UPnP protocol standard and comes enabled on millions of devices to allow them to discover each other on the network, establish communication and coordinate activities. According to the advisory, attackers have been leveraging SSDP to launch attacks that amplify and reflect traffic to their targets.

The potential of the tactic is significant – PLXsert found 4.1 million Internet-facing UPnP devices that could be used in this type of reflection DDoS attack.

“The rise of reflection attacks involving UPnP devices in an example of how fluid and dynamic the DDoS crime ecosystem can be in identifying, developing and incorporating new resources and attack vectors into its arsenal,” the advisory states. “Further development and refinement of attack payloads and tools is likely in the near future.”

As part of its research, PLXsert also identified python scripts being used to scan for UPnP-enabled devices that reply to an initial discovery packet request and turn those devices into reflectors for DDoS attacks. The majority of the targets of the SSDP attacks the company detected have been in the entertainment (28.6 percent), education (21.4 percent) and payment processing (21.4 percent) sectors.

“Malicious actors are using this new attack vector to perform large-scale DDoS attacks,” said Stuart Scholly, senior vice president and general manager of the Security Business Unit at Akamai, in a statement. “PLXsert began seeing attacks from UPnP devices in July, and they have become common. The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch.”

The warning from Akamai follows research from Arbor Networks that also noted a significant jump in SSDP reflection attacks during the third quarter of the year. While only a few such attacks occurred during the second quarter of 2014, nearly 30,000 attacks with this source port were uncovered during Q3 alone, with one of these attacks reaching 124 Gbps, according to Arbor Networks.

To mitigate the UPnP attacks, Akamai recommends blocking wide area network (WAN)-based UPnP requests to client devices or disallowing UPnP access from the Internet unless needed. In addition, they recommend disabling UPnP services on devices where it is not a functional requirement.

“These attacks are an example of how fluid and dynamic the DDoS crime ecosystem can be,” explained Scholly. “Malicious actors identify, develop and incorporate new resources and attack vectors into their arsenals. It’s predictable that they will develop, refine and monetize these UPnP attack payloads and tools in the near future.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.