A new distributed denial of service (DDoS) attack takes advantage of an exploitable vulnerability in the Universal Plug and Play (UPnP) networking protocol.
That vulnerability can allow attackers to bypass common methods for detecting their actions.
Attacks end up launched from irregular source ports, making it difficult to determine their origin and blacklist the ports in order to protect against future incidents.
“The implications of these findings are extensive, as they require mitigation providers to rethink the way they currently deal with amplification DDoS threats,” said researchers at security company Imperva, who found the attack.
The new form of DDoS attack has been has been used by unknown attackers twice, the researchers said in a post.
The UPnP protocol is commonly used for device discovery, especially so by Internet of Things (IoT) devices, which use it to find each other and communicate over a local network.
The protocol is still used despite known issues around poor default settings, lack of authentication, and UPnP-specific remote code execution vulnerabilities, which makes devices vulnerable to attack.
Examples of problems with the protocol go all the way back to 2001, but the simplicity of using it means it is still widely deployed.
Imperva researchers said the discovery of how it can be used to make DDoS attacks more difficult to attack could mean widespread problems.
Researchers first noticed something was new during a Simple Service Discovery Protocol (SSDP) attack in April. This type of botnet tends to be small and spoofs their victim’s IP addresses in order to query common Internet connected devices such as routers, printers and access points.
While most of the attacks were arriving from the usual SSDP port number of 1900, around 12 percent of payloads were arriving from randomized source ports.
Imperva investigated and found a UPnP-integrated attack method could be used to hide source port information.
Attackers could easily find devices to take advantage of by using the Shodan IoT search engine – researchers found over 1.3 million devices which could be exploitable, especially if the attacker used scripts to automate discovery.
There is now a simple way to protect systems.
“This and many other UPnP exploits can be very easily avoided just by blocking the devices from being remotely accessible — an option that, in most cases, only exists as an oversight, since it serves no useful function or has any benefit for device users,” researchers said.