Attackers are experimenting with a new method of avoiding some DDoS mitigation solutions by employing the Universal Plug and Play (UPnP) protocol to mask the source port of network packets sent during the DDoS flood.
In a report published on Monday, DDoS mitigation firm Imperva says it observed at least two DDoS attacks employing this technique.
By masking the origin port of incoming network packets, Imperva says that older DDoS mitigation systems that rely on reading this info to block attacks will need to be updated to more complex solutions that rely on deep packet inspection (DPI), a more costly and slower solution.
At the heart of the problem is the Universal Plug and Play (UPnP) protocol, a technology developed to simplify the discovery of nearby devices on the local network.
One of the protocol's features is its ability to forward connections from the Internet to the local network. It does this by mapping incoming (Internet) IP:port connections to a local IP:port service.
This features allows for NAT traversal but also lets network admins remote users access services available only on the internal network.
"However, few routers actually bother to verify that a provided 'internal IP; is actually internal, and abides by all forwarding rules as a result," Imperva researchers say.
This means that if an attacker manages to poison the port mapping table, he can use the router as a proxy and redirect incoming Internet IPs to other Internet IPs.
This type of scenario is not new. Akamai detailed this technique —called UPnProxy— last month when it revealed that it discovered botnets and nation-state cyber-espionage groups using home routers as proxies to bounce and hide malicious traffic.
But Imperva says this same technique can be abused for DDoS attacks as well, for the purpose of masking the source port of amplification DDoS attacks —also known as reflection DDoS attacks.
Classic amplification DDoS attacks rely on the attacker bouncing a malicious packet off a remote server and sending it to a victim via a spoofed IP.
In the classic amplification DDoS attacks, the source port is always the port of the service that amplifies the attack. For example, packets bounced off a DNS server during a DNS amplification attack will have a source port of 53, while NTP amplification attacks will have a source port of 123.
This lets DDoS mitigation services detect and block amplification attacks by blocking all incoming packets with a specific source port.
But using UPnProxy, attackers can alter the port mapping tables of vulnerable routers, and use them to mask the source port of DDoS attacks, so they come from random ports, bounce off the vulnerable server, and hit the DDoS attack's victim.
Imperva says it developed an in-house proof-of-concept script that they successfully tested and reproduced one of the two DDoS attacks they've spotted in the wild.
The PoC code searched for routers that exposed their rootDesc.xml file —which holds the port mapping config—, added custom port mapping rules that hid the source port, and then launched a DDoS amplification attack. The company did not release the PoC, for obvious reasons.
The attacks Imperva detected in the wild, which they believe used UPnP to hide the source port, leveraged the DNS and NTP protocols during the DDoS floods, meaning the technique is agnostic in terms of the type of DDoS amplification technique the attacker chooses to use.
"It’s our hope that these findings will help the mitigation industry prepare itself for the above-described evasion tactics before they become more common," the Imperva team said.
"We also hope that our findings will add to the existing body of research focusing on UPnP-related security threats, and help promote better security awareness among IoT manufacturers and distributors."
The technique is, no doubt, going to become more popular as time passes by. Just like when the UPnProxy flaw came to light, router owners are advised to disable UPnP support if they are not using the feature.