Distributed Denial of Service (DDoS) attacks are a huge cybersecurity problem. And they’re only getting worse. According to Neustar’s May 2017 Worldwide DDoS Attacks & Cyber Insights Research Report, 84% of the 1,010 organizations surveyed suffered at least one significant DDoS attack in the past twelve months, up from 73% in 2016.
86% of the surveyed organizations reported multiple DDoS attacks in that time period. Compared to 2016, in the 2017 report there were twice as many DDoS attacks that used more than 50 Gbps of data. Chances are 2018 will be even worse.
Now, there’s news of a new type of DDoS attack. This attack method is designed to evade DDoS mitigation measures, making it a stealthier way to bring down targeted networks.
UPnP DDoS Attacks
Security researchers at Imperva have discovered a sneaky new way to perform a DDoS attack. They caught cyber attackers using it in the wild, and they’ve been able to replicate the attack themselves.
The Universal Plug and Play (UPnP) protocol is designed to facilitate device discovery over a network using UDP port 1900, and then can use a TCP port for device control. UPnP is often used within LANs so that routers, printers, and client machines can discover each other and communicate. When implemented properly, this can make a network administrator’s job easier.
Unfortunately, UPnP has a number of well known vulnerabilities. Default settings can leave UPnP open to external cyber attackers because the protocol lacks an authentication mechanism. There are also lots of remote code execution vulnerabilities which are specific to UPnP.
DDoS attacks in general are often mitigated by identifying particular source ports and blocking their traffic. But with the way that UPnP is designed, cyber attackers can easily mask the source port they’re exploiting. UPnP is made to forward Internet connections to a LAN by mapping IP port connections to local IP port services. Routers should only allow internal port connections to go through UPnP, but few routers properly verify that they are internal. That vulnerability can be exploited by cyber attackers to route their external connections to their targeted LAN. If the attacker is able to poison the port mapping table, they can exploit the router as a proxy.
Using that exploit to mask their source port, cyber attackers can proceed to execute an amplification DDoS attack.
Typical amplification DDoS attacks use the source port of the port which amplifies the attack. So by blocking specific ports, those attacks can usually be mitigated. Obviously, that doesn’t apply to amplification DDoS attacks which exploit UPnP.
UPnP DDoS Attacks in Practice
Imperva mitigated what was probably the first UPnP DDoS attack they discovered on April 11, 2018. They observed an SSDP (Simple Service Discovery Protocol) amplification assault. Some of the SSDP payloads came from an unexpected source port instead of UDP port 1900. Imperva researchers were perplexed by what they saw. To help discover what was going on, they eventually created a proof of concept that uses UPnP to obfuscate the source port of a DDoS amplification attack. Eureka!
The first step in creating the proof of concept was using the Shodan search engine to find an exploitable UPnP router. Those devices often have a “rootDesc.xml” file, so that’s how the search was queried.
Once they found an exploitable UPnP router, they accessed the XML file through HTTP by changing the file’s location IP address.
The next step involved editing the “rootDesc.xml” file to modify the port forwarding rules. The rules need to be modified in such a way to allow an attacker to route external IP connections to internal IPs. That step takes advantage of how most routers don’t properly verify that stated internal IPs are actually internal. Oops!
To set the stage for an amplification DDoS attack which exploits UPnP for obfuscation, the following steps had to be taken:
- A DNS request was sent to the targeted UPnP router through UDP port 1337.
- Thanks to the new port forwarding rules, the request was sent to a DNS resolver over destination port UDP 53.
- The resolver responded to the device through source port UDP 53.
- Then the source port was changed to UDP port 1337, and the targeted UPnP router forwarded the DNS response to the source of the request.
With all of that taken care of, an amplification DDoS attack can then be executed and most DDoS mitigation methods wouldn’t be able to stop it. The same method demonstrated in Imperva’s proof of concept can be used with NTP and SSDP attacks instead of DNS. Memcached DDoS attacks could use the new UPnP obfuscation method as well.
Mitigating This Attack Method
So how can this new DDoS attack method be mitigated? According to Imperva:
“With source IP and port information no longer serving as reliable filtering factors, the most likely answer is to perform deep packet inspection (DPI) to identify amplification payloads—a more resource-intensive process, which is challenging to perform at an inline rate without access to dedicated mitigation equipment.”
Did the DDoS attack that Imperva mitigated on April 11 actually exploit UPnP for port obfuscation?
“It should be noted that we also considered alternative hypotheses for the attack that prompted our investigation. For instance, that the occurrence in question could have been explained by an internal network setup or a purposeful forwarding configuration, which unintentionally resulted in port obfuscation.”
But another DDoS amplification attack which Imperva researchers mitigated on April 26 supported their original hypothesis as was demonstrated in their proof of concept. The April 26 attack was executed through an NTP amplification vector. Some of the payloads originated from a source port which wasn’t the usual UDP port 123. That attack behaved just like their proof of concept, substituting DNS for NTP.
So if UPnP obfuscation is used more frequently by cyber attackers to execute amplification DDoS attacks which evade usual DDoS mitigation measures, more routers are going to have to implement deep packet inspection. It may be more resource-intensive, but it may be absolutely necessary as DDoS attacks evolve.