Millions of UPnP Devices Risk DDoS Attacks

A vulnerability in the Universal Plug and Play (UPnP) Internet protocol exposes millions of internet devices to Distributed Denial of services (DDOs) attacks according to a security advisory report issued by Akamai- an internet infrastructure firm.

According to Akamai, attackers use reflection and amplification DDoS attacks to exploit  the Simple Service discovery Protocol(SSD) – a standard internet protocol that facilities communication and coordination between many UPnP devices including routers, webcams Smart TV’s and printers.

“PLXsert (Prolexic Security Engineering & Response Team) has observed the use of a new reflection and amplification distributed denial of service (DDoS) attacks that abuses the Simple Service Discovery Protocol (SSDP). This protocol is part of the Universal Plug and Play (UPnP) Protocol standard. SSDP comes enabled on millions of home and office devices” states the report from Akamai. “Attackers have been abusing these protocol to launch DDoS attacks that amplify and reflect network traffic to their targets.”

Technically, DDoS attacks reduces the ability of the computer resource to execute legitimate commands from the users. A hacker achieves this by directing a flood of traffic to the target device using a fleet of remotely controlled computers (botnet). Once a system has been compromised it becomes busy responding to the hacker’s requests such that it lacks time to respond to legitimate commands from the user.

How DDoS attacks work on UPnP devices?

A malicious hackers starts by identifying vulnerable UPnP enabled devices on the network. This is achieved by sending a SOAP (Simple Object Access Principle) request (M-SEARCH) to UPnP devices.  The M-SEARCH identifies the vulnerable devices. The devices responds to the SOAP requests with the HTTP location of its device XML description file.

The hacker then sends malicious requests, to the in identified vulnerable devices, spoofing the address of the targets and causing a reflected and amplified response. “The volume of traffic generated depends on many factors, including the size of the device description file, operating system and UUID,” says Pierluigi Paganini.

“The Simple Object Access Protocol (SOAP) is used to deliver control messages to UPnP devices and pass information back from the devices. Attackers have discovered that SOAP requests can be crafted to elicit a response that reflects and amplifies a packet, which can be redirected towards a target. By employing a great number of devices, attackers create large quantities of attack traffic that can be aimed at selected target” states the report.

Meanwhile, there is an upswing in attacks on UPnP devices according to the report. Akamai identified two scanning techniques widely used to conduct UPnP refection campaigns. –ssdpscanner.py for scanning and ssdpattack.py for the actual attack. An internet scan revealed 4.1 million vulnerable devices out of a possible 11 million UPnP devices. These devices could be recruited by attackers to wage large scale DDoS attacks.

“Malicious actors are using this new attack vector to perform large-scale DDoS attacks. The Prolexic Security Engineering & Response Team (PLXsert) began seeing attacks from UPnP devices in July, and they have become common,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai.  “The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch. Action from firmware, application and hardware vendors must occur in order to mitigate and manage this threat.”

Geographically, Korea has the highest number of vulnerable UPnP devices distribution, followed closely by US, Canada, Argentina and Japan. Akamai explains that the huge number of vulnerable devices which is approximately 38% of the 11 million UPnP devices, will be a challenge to mitigation, Patch Management, updates and cleanups.  The wide distribution of venerable devices also gives hackers an upper hand.

“The prevalence of vulnerable devices is likely to drive development of new tools to take advantage of the SSDP and SOAP protocols, which is likely to lead to UPnP device based reflection attack tools and Botnet being monetized in DDoS-for-hire underground Market,” stated the report.

Unfortunately there is no sure way of mitigation DDoS attacks on UPnP devices due to the astronomical numbers of vulnerable devices and their wide geographical distribution. However, Akamai security experts recommends blocking “source port 1990 traffic to your host to prevent bandwidth loads to services that do not use UPnP service, such as web hosting or possible exploitation attacks.”

Akamai security experts also recommended system hardening as way of minimizing potential threats. This involves, blocking all wide-area Network (WAN) – based UPnP requests to client devices, disabling UPnP service on devices where it is not a basic requirement and proactively patching and updating UPnP devices that are open to the internet.

The rise in reflection and amplification DDoS involving UPnP devices presents a serious threat to the internet infrastructure. It is a clear indication that DDoS crime ecosystem scan be effective in “identifying, developing and incorporating new resources and Attack its arsenal.” The future of internet users could be gleam if these cyber criminals continue to develop and refine their techniques and tools.  “Action from firmware, application and hardware vendors must occur in order to mitigate and mange this threat,” concludes Akamai.

Lawrence Mwangi Lawrence is a technology and business reporter. He has freelanced for a number of tech sites and magazines. He is a web-enthusiast, with a special interest in Online security, Entrepreneurship and Innovation. When not writing about tech he can be found in a Tennis court or on a chess board.
Leave a Comment