Attackers Use UPnP to Sidestep DDoS Defenses

Universal Plug and Play networking protocols have never been a friend of security researchers. On Monday, Imperva gave the InfoSec community another reason to dislike UPnP.

In a proof-of-concept Distributed Denial of Service (DDoS) attack, Imperva researchers have devised a way to exploit the UPnP protocol to bypass mitigations and carry out crippling DDoS amplification assaults.

Imperva’s PoC stems from its analysis of reflection-based DDoS attacks in 2017 that exploited varying protocols to magnify their impact. For example, Network Time Protocol amplification-based DDoS attacks represented a third of assaults tracked by Imperva. Reflection-based amplification using Domain Name System servers and Simple Service Discovery Protocol (SSDP) were also well represented in Imperva’s analysis – representing another third of attacks.

“For bad actors, amplification vectors offer a shortcut to launching bandwidth-heavy assaults without the need for equally large botnet resources,” wrote co-authors of the report Avishay Zawoznik, Johnathan Azaria and Igal Zeifman. “From a mitigation point of view, however, they represent a diminished threat as, by now, most mitigation services have scaled to a point where attack bandwidth is no longer a chief concern—or any concern at all.”

Mitigating against these attacks have become routine. Researchers point out “blocking all packets with source port 53 is considered a tried-and-true method for mitigating DNS amplification attacks.”

That’s why researchers became intrigued by an unconventional SSDP amplification attack spotted in April. “We noticed that a certain percentage of SSDP payloads, sometimes as much as 12 percent, were arriving from an unexpected source port, and not UDP/1900,” wrote researchers.

SSDP is a protocol that UPnP devices use to share data using User Datagram Protocol (an alternative Transmission Control Protocol) on port 1900.

In an effort to reproduce the April attack, Imperva researchers devised a novel UPnP-integrated attack method that could be used to obfuscate source port information for any type of amplification payload, including SSDP, DNS and NTP attacks. “There is no reason to assume that other amplification vectors (e.g., Memcached) will not work just as well,” researchers said.

In March, GitHub suffered a massive DDoS attack, measuring 1.3 Tbps of sustained traffic for eight minutes, where the attacker used the memcached amplification technique.

A simplified description of the UPnP PoC entails using the Shodan search engine to find exploitable UPnP gateway devices and a UPnP-associated file called rootDesc.xml. “Cataloged in rootDesc.xml are all of the available UPnP services and devices,” researchers wrote.

Once an attacker has identified the rootDesc.xml file they can use it to determine actions that the device will accept remotely. In the researchers’ PoC, one of those actions is AddPortMapping—a command that can be used to configure port forwarding rules.

“Using the scheme within the file, a SOAP request can be crafted to create a forwarding rule that reroutes all UDP packets sent to port 1337 to an external DNS server (3.3.3.3) via port UDP/53,” researchers said.

This type of port forwarding allows a DDoS attacker to send a DNS request on one port (UDP/1337) and then have it proxied to a DNS resolver over destination port (UDP/53). “The DNS resolver responds to the device over source port UDP/53,” researchers said. Then, “the device forwards the DNS response back to the original requestor, but not before changing the source port back to UDP/1337.”

“This was enough to serve as a proof of concept for our hypothesis. In an actual attack scenario, however, the initial DNS request would have been issued from a spoofed victim’s IP, meaning that the response would have been bounced back to the victim,” researchers wrote.

Imperva asserts its PoC should prompt security professionals to rethink how to mitigate against amplification attacks.

“With source IP and port information no longer serving as reliable filtering factors, the most likely answer is to perform deep packet inspection to identify amplification payloads—a more resource-intensive process, which is challenging to perform at an inline rate without access to dedicated mitigation equipment,” they said.