Security researchers are continuing to see DDoS attacks that leverage the UPnP features of home routers to alter network packets and make DDoS attacks harder to detect and mitigate with classic solutions.
The UPnP port masking technique is a new one and was first detailed last month by security researchers from Imperva.
By changing the source (origin) port, older DDoS mitigation systems that relied on reading this information to block incoming attacks began failing left and right, allowing DDoS attacks to hit their intended targets.
Newer DDoS mitigation systems that rely on deep packet inspection (DPI) are capable of detecting these types of attacks that use randomized source ports, but these are also more financially costly for users and also operate slower, taking more time to detect and stop attacks.
Back in May, Imperva researchers said they've seen botnets executing DDoS attacks via the DNS and NTP protocols, but using UPnP to disguise the traffic as coming from random ports, and not port 53 (DNS) or port 123 (NTP).
Back then, Bleeping Computer anticipated that the tactic would become more popular among botnet authors. This premonition became true yesterday when in a report released by Arbor Networks, the company reported on seeing similar DDoS attacks that leveraged the UPnP protocol, but this time the technique was used to mask SSDP-based DDoS attacks.
SSDP DDoS attacks that would have been easily mitigated by blocking incoming packets that originated from port 1900 were harder to spot as most of the traffic came from random ports instead of one.
This UPnP-based port masking technique is clearly spreading among DDoS operators, and DDoS mitigation providers will have to adjust if they want to remain in business, while companies will have to invest into upgraded protections if they want to remain afloat during these new types of DDoS attacks.