Attacks/Breaches

5/15/2018
09:55 AM
50%
50%

New DDoS Attack Method Leverages UPnP

'Lock down UPnP routers,' researchers say.

A new DDoS technique is adding a new twist to this common threat and upping the chance that an attack will have an impact on business operations. The new attack leverages a known vulnerability in Universal Plug and Play (UPnP) to get around many of the current defense techniques and swamp a target's network and servers.

The basis of the attack is a DNS amplification technique that bounces a DNS query response to the victim based on a spoofed requester address. In this new DDoS approach, though - detailed by researchers at Imperva - the attack mechanism is a UPnP router that is happy to forward requests from one external source to another (in violation of UPnP behavior rules). Using the UPnP router returns the data on an unexpected UDP port from a spoofed IP address, making it more difficult to take simple action to shut down the traffic flood.

In the original attack and the new proof of concept, a DNS amplification was used, but the researchers note that there's no technical reason that a similar approach couldn't be used in SSDP, DNS, and NTP attacks.

When both source address and port are obfuscated, many current DDoS remediation techniques become ineffective. While deep packet inspection will work against the attack, it's a resource-intensive method that can be both costly and limited. The researchers say that the most effective way to stop this attack method is for organizations to lock down their UPnP routers, taking a weapon out of the hands of attackers.

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
CVE-2018-18375
PUBLISHED: 2018-10-16
goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
CVE-2018-18376
PUBLISHED: 2018-10-16
goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.
CVE-2018-18377
PUBLISHED: 2018-10-16
goform/setReset on Orange AirBox Y858_FL_01.16_04 devices allows attackers to reset a router to factory settings, which can be used to login using the default admin:admin credentials.
CVE-2018-17534
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.