Akamai Diversity

The Akamai Blog

UPnP Devices Used in DDoS Attacks

Attackers are using Universal Plug and Play (UPnP) devices to launch massive DDoS assaults, Akamai's Prolexic Security Engineering & Research Team (PLXsert) warned this morning in an advisory.

PLXsert estimates that 4.1 million UPnP devices are potentially vulnerable to exploits used for reflection DDoS attacks. That's about 38 percent of the 11 million devices in use around the world. PLXsert plans to share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts.

PLXsert said the attack deliberately misuses communications protocols that come enabled on millions of home and office devices, including routers, media servers, web cams, smart TVs and printers.

The protocols allow devices to discover each other on a network, establish communication and coordinate activities. Attackers have been abusing these protocols on such devices to generate floods of traffic and cause website and network outages.

PLXsert replicated the technique in a lab environment. From the advisory:

In the first step of the attack process, a SOAP request (M-SEARCH) is sent to a UPnP-enabled device. The M-SEARCH packet identifies vulnerable devices, and the device responds to the request with the HTTP location of its device description file -- an XML file. After gathering a list of vulnerable devices, the attacker will send malicious requests to cause a reflected and amplified response to the attacker's target. The size of the response and amplification factor may vary depending on the contents of the device description file, such as response header, banner, operating system and UUID. While replicating this attack vector in a LAN laboratory environment, PLXsert measured an amplification factor of approximately 33 percent.

Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, said PLXsert began seeing attacks from UPnP devices in July. "The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are difficult to patch," he said. "Action from firmware, application and hardware vendors must occur in order to mitigate and manage this threat."

The advisory outlined actions to blunt the threat:

System hardening, community action
The challenge for system hardening is the almost non-existent patch and update management processes from vendors and the placement in homes and enterprises of misconfigured devices by service providers (mainly ISPs) and device vendors (printers, VoIP, routers, modems, etc.). As a result of mismanagement, millions of these devices are open on the Internet and exploitable beyond the scope of this advisory.

The following system hardening is advised:

  • If not needed, block wide-area network (WAN)-based UPnP requests to client devices, or do not allow UPnP access from the Internet at all
  • Disable UPnP services on devices where it is not a functional requirement
  • Proactively patch and update UPnP devices that are required to be open to the Internet.
  • Review the US-CERT vulnerability note VU#92268, which provides details about vulnerabilities related to UPnP and mitigation2

DDoS Defense

The mitigation of this attack vector is complicated because of the very large numbers of vulnerable devices and their geographical distribution. However one recommendation is to block source port 1900 traffic to your host to prevent bandwidth loads to services that do not use UPnP service, such as web hosting or possible exploitation attacks.