Hackers have started to abuse routers and other internet-of-things devices that expose their UPnP interfaces to the internet to launch distributed denial-of-service (DDoS) attacks that are hard to block, even by DDoS mitigation providers.
Researchers from security firm Imperva have recently observed a DDoS amplification attack in which some of the packets came in on non-standard port numbers, which is very unusual for such attacks. Upon further investigation, they believe attackers combined DDoS amplification with UPnP hijacking to achieve this effect.
DDoS amplification abuses various UDP-based protocols such as Network Time Protocol (NTP), Domain Name System (DNS) or Simple Service Discovery Protocol (SSDP). It works by sending queries to open servers on the internet over one of these protocols with the source IP address spoofed to appear as if the queries came from the attackers’ intended targets. The servers will then send the responses back to the victims instead of the actual devices that made the initial requests.
This technique has two benefits for attackers: 1) It hides the real source of the attack because the victim will receive unsolicited traffic from the abused servers and 2) It will help the attackers generate more traffic than they otherwise could because small queries can trigger very large responses over these protocols.
Some of the largest DDoS attacks recorded over the past few years have used amplification techniques and DDoS mitigation providers can typically block them by filtering traffic on standard ports associated with the commonly abused protocols; DNS uses port 53, NTP uses port 123 and SSDP uses port 1900.
But DDoS amplification where the traffic comes over random port numbers as Imperva saw? That’s a potential game changer.
“The implications of these findings are extensive, as they require mitigation providers to rethink the way they currently deal with amplification DDoS threats,” the Imperva researchers said in a blog post. “With source IP and port information no longer serving as reliable filtering factors, the most likely answer is to perform deep packet inspection (DPI) to identify amplification payloads—a more resource-intensive process, which is challenging to perform at an inline rate without access to dedicated mitigation equipment.”
While the Imperva researchers do not know for certain how the attack they saw was launched, their research identified a technique that’s a very likely candidate. It relies on abusing another commonly used protocol called Universal Plug and Play (UPnP).
UPnP is commonly used by devices to discover each other inside local networks and to automatically set up various services such as media streaming or file sharing. Devices can also use UPnP to automatically open ports in routers to make their services accessible from the internet. This is actually how many IP cameras become publicly exposed without their owners ever knowing or intending to do so.
Since it doesn’t use authentication, a router’s UPnP interface normally should only be exposed to the local area network. However, many devices come with misconfigured UPnP deployments that make them accessible over the internet. Imperva’s searches on Shodan revealed more than 1.3 million such devices.
As previously mentioned, one of the common functionalities implemented in UPnP is automatic port mapping or port forwarding. This allows traffic that reaches the router’s public IP address on certain port numbers to be forwarded automatically to devices on the local network.
It turns out some router vendors did not lock down this functionality and it is possible to set up port forwarding rules between the router’s internet IP address and other IP addresses on the internet. This essentially allows the router to be abused as a proxy to relay malicious traffic.
In Imperva’s proof-of-concept attack, an attacker can set up a rule on a router with a vulnerable UPnP implementation to forward traffic received on a non-standard port such as 1337 to an external DNS server on the internet on port 53.
The attacker will then send a spoofed DNS query to the router on port 1337 with the victim’s IP appearing as the source address. The router will forward that query to the external DNS server on port 53. The server will send back a large response to the router on port 53 and the router will forward it to the victim on port 1337 because of the source address spoofing.
From the victim’s perspective, the unsolicited DNS traffic will come on port 1337 instead of 53 and the standard mitigation technique of filtering traffic on port 53 will no longer apply.