UPnP joins the ‘just turn it off on consumer devices, already’ club

Posted on by Robin Edgar

It’s not particularly difficult, particularly with Shodan to help. The required steps are:

  • Discover targets on Shodan by searching for the rootDesc.xml file (Imperva found 1.3 million devices);
  • Use HTTP to access rootDesc.xml;
  • Modify the victim’s port forwarding rules (the researchers noted that this isn’t supposed to work, since port forwarding should be between internal and external addresses, but “few routers actually bother to verify that a provided ‘internal IP’ is actually internal, and [they abide] by all forwarding rules as a result”.
  • Launch the attack.

That means an attacker can create a port forwarding rule that spoofs a victim’s IP address – so a bunch of ill-secured routers can be sent a DNS request which they’ll try to return to the victim, in the classic redirection DDoS attack.

The port forwarding lets an attacker use “evasive ports”, “enabling them to bypass commonplace scrubbing directives that identify amplification payloads by looking for source port data for blacklisting”, the post explained.

Source: UPnP joins the ‘just turn it off on consumer devices, already’ club • The Register

Robi nEdgar sitting in a chair

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com