Attackers Utilize UPnP Features to Make DDoS Attacks Harder To Be Recognized

Security researchers are continuously observing DDoS attacks that utilize the UPnP features of home routers to modify network packets and make DDoS attacks harder to be recognizable and relieve with classic solutions.


Researchers from Imperva detailed the first UPnP port masking method, a new technique, a month ago.


Imperva staff announced that some DDoS botnets had begun utilizing the UPnP protocol found on home routers to skip the DDoS traffic off the router, but change the traffic’s source port to an arbitrary number.


By changing the source port, more seasoned DDoS mitigation systems that depended on perusing this data to square approaching attacks started failing left and right, thus permitting the DDoS attacks to hit their intended targets.


The new DDoS mitigation systems that depend on deep packet inspection (DPI) are fit for identifying these sorts of attacks that utilize randomized source ports, however these are likewise more fiscally expensive for users and furthermore work slower, thus taking more time to distinguish and stop attacks.

Researchers at Imperva, Back in May, said that they’ve seen botnets executing DDoS attacks through the DNS and NTP protocols , but by utilizing UPnP to camouflage the traffic as originating from irregular ports, and not port 53 (DNS) or port 123 (NTP).


In those days, Bleeping Computer had foreseen that the strategy would turn out to be more prevalent among the botnet creators. This feeling turned out to be true yesterday when in a report by Arbor Networks, the organization wrote about observing comparative DDoS attacks that utilized the UPnP protocol, yet this time the procedure was utilized to mask the SSDP-based DDoS assaults.


SSDP DDoS attacks that would have been effectively moderated by blocking the approaching packets that came from port 1900 were harder to spot as the majority of the traffic originated from random ports rather than just one.


This UPnP-based port masking technique is obviously spreading among DDoS administrators, and DDoS mitigation providers will have to alter on the off chance that they need to stay in business, while organizations should put into overhauled securities in the event that they need to stay above water amidst these new types of deadly DDoS attacks.

Leave a Reply