The new technique has “the potential to put any company with an online presence at risk of attack”, warn researchers.
A newly-uncovered form of DDoS attack takes advantage of a well-known, yet still exploitable, security vulnerability in the Universal Plug and Play (UPnP) networking protocol to allow attackers to bypass common methods for detecting their actions.
Attacks are launched from irregular source ports, making it difficult to determine their origin and blacklist the ports in order to protect against future incidents.
The new form of distributed denial-of-service attack has been uncovered and detailed by researchers at security company Imperva, who say it has been used by unknown attackers twice.
The UPnP protocol is commonly used for device discovery, especially so by Internet of Things devices, which use it to find each other and communicate over a local network.
The protocol is still used, despite known issues around poor default settings, lack of authentication, and UPnP-specific remote code execution vulnerabilities, which make the devices vulnerable to attack.
Just like the much-discussed case of easily exploitable IoT devices, most UPnP device vendors prefer focusing on compliance with the protocol and easy delivery, rather than security,” Avishay Zawoznik, security research team leader at Imperva, told ZDNet.
“Many vendors reuse open UPnP server implementations for their devices, not bothering to modify them for a better security performance.”
Examples of problems with the protocol go all the way back to 2001, but the simplicity of using it means it is still widely deployed. However, Imperva researchers claim the discovery of how it can be used to make DDoS attacks more difficult to attack could mean widespread problems.
“We have discovered a new DDoS attack technique, which uses known vulnerabilities, and has the potential to put any company with an online presence at risk of attack,” said Zawoznik.
Researchers first noticed something was new during a Simple Service Discovery Protocol (SSDP) attack in April. This type of botnet tends to be small and spoofs their victim’s IP addresses in order to query common internet connected devices such as routers, printers and access points.
While most of the attacks were arriving from the usual SSDP port number of 1900, around 12 percent of payloads were arriving from randomised source ports. Imperva investigated and found that a UPnP-integrated attack method could be used to hide source port information.
Attackers could easily find devices to take advantage of by using the Shodan IoT search engine — researchers found over 1.3 million devices which could be exploitable, especially if the attacker used scripts to automate discovery.
In order to not fall victim to this, businesses “should come up with a DDoS protection that is based on the packet payloads, rather than source ports only,” said Zawoznik.
However, researchers note that there is a relatively simple way to protect systems from this and other UNPnP exploits: just block the device from being remotely accessible, because in the vast majority of cases, they note, “it serves no useful function or has any benefit for device users”.