Security researchers are seeing an increase in the Distributed Denial of Service (DDoS) attacks which abuse the Universal Plug and Play (UPnP) features of home routers. This new technique makes it harder to detect such attacks and it makes them harder to mitigate as an added bonus for attackers. Researchers at Imperva were the first to detail such attacks which they witnessed occurring last month. It was predicted then that this new technique of UPnP port masking would become popular amongst those looking to carry out a DDoS attack.
A DDoS attack can be seen as an attack which utilizes incoming traffic to flood the victim or target with the intention of temporarily or indefinitely disrupting services of a host connected to the Internet. A hallmark of DDoS is that the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source. The UPnP features of home routers allow for network devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment as well as many other services that make sharing incredibly convenient. UPnP is intended primarily for home networks rather than enterprise networks.
With the definitions out the way, it is possible to see how the new technique is executed in the wild. According to the Imperva report published in May of this year, researchers began noticing that some DDoS botnets had started using the UPnP protocol found on home routers to bounce DDoS traffic off the router but alter the traffic's source port to a random number. This ability to alter the port number not only makes detection harder but also means that DDoS mitigation software packages cannot block incoming attacks. These mitigation software packages are reliant on reading this information to block incoming attacks. There are newer software packages which rely on deep packet inspection (DPI) that are capable of detecting these types of attacks that use randomized source ports. However, these are also more financially costly for users and also operate slower, as they need to take more time to detect and stop attacks.
UPnP DDoS Attacks may be inspired by UPnProxy
In April 2018, security firm Akamai published a report which revealed that cyber espionage groups are abusing the Universal Plug and Play (UPnP) protocol. This was done to proxy bad traffic and ultimately hide their real location from investigators. In the report, it was further revealed that the groups using this technique had at least 65,000 routers under their control in order to create proxy networks for various types of secret or illegal activities.
While the abuse of the UPnP protocol helped hide the real locations of the threat actors, the abuse of the protocol was also done to inject malicious packets inside the router's NAT (Network Address Translation) tables. These tables are used to control how controls how IPs and ports from the router's internal network are mapped to the network above, usually the Internet. By changing the NAT rules the threat actor can connect to the router's public IP on a specific port, but get redirected automatically to another IP port. Put differently this flaw allows attackers to use routers with misconfigured UPnP services as proxy servers for their operations. This use of the UPnP protocol to act as a proxy server prompted researchers at Akamai to give the flaw the codename UPnProxy.
This flaw has been deemed serious as it allows an attacker to access the login panel of routers that do not usually expose to the Internet. Such routers, despite having weak credentials, weren't previously susceptible to brute-force attacks because their admin panel is harder and sometimes impossible, to reach by an Internet attacker. UPnProxy now allows attackers to carry out brute-force attacks against the backend panels of any device on an internal network meaning that what was once nearly impossible has opened an entirely new attack vector to be exploited.
Currently, UPnProxy has been exploited by Inception Framework
In March, Symantec published a report detailing that researchers for the company had seen a nation-state-backed actor codenamed "Inception Framework" utilizing the UPnProxy technique to hide their real location behind server proxies. According to Symantec Inception Framework has been active since at least May 2014 and the group stood out as it used an advanced, highly automated framework to support its targeted attacks. This level of sophistication is rarely seen, even in other targeted attacks by other APT. The nature of Inception’s targets, from 2014 right through to today, along with the capabilities of its tools, indicate that espionage is the primary motive of this group. More than half of the group’s earlier targets were in the Energy or Defense sectors. It has also targeted organizations in the Security, Aerospace, Research, and Media sectors. Their targets are not limited to companies but in the past have also targeted embassies. Its activities ranged across the globe, with targets located in South Africa, Kenya, the United Kingdom, Malaysia, Suriname, along with several other European and Middle Eastern countries.
From the above examples, it is clear that the abuse of UPnP protocols is a new reality facing researchers, administrators, and investigators. It would also appear due to the complexity of pulling off a successful attack that it will be a technique favored by professionally and well-resourced groups, often meaning that state-sponsored groups are most likely to be the threat actors in this case. It would appear that those in charge of defending networks have yet another thing to worry about.