It’s not particularly difficult, particularly with Shodan to help. The required steps are:

  • Discover targets on Shodan by searching for the rootDesc.xml file (Imperva found 1.3 million devices);
  • Use HTTP to access rootDesc.xml;
  • Modify the victim’s port forwarding rules (the researchers noted that this isn’t supposed to work, since port forwarding should be between internal and external addresses, but “few routers actually bother to verify that a provided ‘internal IP’ is actually internal, and [they abide] by all forwarding rules as a result”.
  • Launch the attack.

That means an attacker can create a port forwarding rule that spoofs a victim’s IP address – so a bunch of ill-secured routers can be sent a DNS request which they’ll try to return to the victim, in the classic redirection DDoS attack.

The port forwarding lets an attacker use “evasive ports”, “enabling them to bypass commonplace scrubbing directives that identify amplification payloads by looking for source port data for blacklisting”, the post explained.

Source: UPnP joins the ‘just turn it off on consumer devices, already’ club • The Register