Why you shouldn’t be worried about UPnP port masking
Last May, security firm Imperva wrote a blog post discussing a new proof of concept for bypassing DDoS mitigation after discovering reflected network protocols appearing on non-standard network ports. Imperva was able to replicate the same behavior using a technique called UPnP Port Masking, which uses the Universal Plug and Play (UPnP) Protocol to alter the source port of commonly abused network protocols in DDoS attacks.
Multiple news outlets picked up on Imperva’s research and pitched it as a serious threat to DDoS mitigation, especially for DDoS mitigation solutions that rely on blocking specific protocols based off of their port. I argue that if your DDoS mitigations fail to protect against randomized ports, they aren’t sufficient mitigations in the first place, so the hype around UPnP Port Masking confuses the real issues around DDoS protection.
UPnP is a popular protocol used largely by IoT devices to discover each other on a local network and modify port forwarding (Network Address Translation or NAT for the networking folks) rules on the network’s gateway. UPnP is great for home networks where consumers just want their new purchase to work without requiring knowledge from CompTIA’s Network+ exam. However, it isn’t appropriate for an office environment where IT staff need more control over which devices can communicate with each other and the outside world.
Imperva’s proof of concept works by using UPnP to modify port forwarding rules on UPnP-enabled routers out on the internet. Let’s use the massive Memcached DDoS attacks from earlier this year as an example. Memcached (with UDP access enabled) runs on UDP port 11211. An attacker first uses UPnP to create a forwarding rule on an affected router that reroutes all UDP packets received on port 1234 to a Memcached server at the address 126.96.36.199 on port 11211.
From: Any UDP/1234
To: 188.8.131.52 UDP/11211
During a normal reflective DDoS attack, the attacker spoofs the source address of a UDP request to that of a victim and then sends it to a server. When the server replies to the request, the response is sent to the spoofed source address. By abusing protocols with large response sizes, the attacker can overwhelm the victim with traffic.
Using Imperva’s trick, the attacker sends the spoofed request through the UPnP router using the non-standard port (UDP/1234 in our example). The router changes the port to the actual service port and forwards it on to the server address (184.108.40.206). It does the same in reverse for the server’s reply, changing the port back to the non-standard port before sending it to the victim’s IP.
Long story short, attackers can use this technique to modify the port for UDP-based traffic before the victim receives it. Some DDoS mitigation tools look at just the port that traffic is arriving on before deciding to drop or throttle it. If you aren’t running an NTP server for example, your DDoS mitigation might be set up to block UDP/123 entirely. Randomizing the port can get around this type of protection.
Imperva and several publications argue that this newly detected port randomization technique is of serious concern for DDoS mitigation tools. They argued that DDoS mitigation tools must now perform deep packet inspection (DPI) to identify malicious traffic, which is challenging to perform without dedicated mitigation equipment because of the additional overhead. I would counter that by pointing out modern DDoS mitigation for most organizations is already past dedicated equipment and now requires cloud-based services to remain effective.
It is simply too easy for even low-skilled attackers to launch massive attacks exceeding hundreds of gigabits per second. Only the largest organizations even have connections capable of handling that load, meaning that by the time the traffic reaches DDoS mitigation equipment it’s already too late.
These days, DDoS attacks are often mitigated by spreading the load through a content delivery network’s (CDN’s) network. Instead of funneling DDoS traffic all through a single pipe, it is split up and sent through multiple datacenters, which can then use specialized equipment to filter the reduced traffic. Some DDoS mitigation services let you keep your normal routing as-is until your services come under attack, at which point your public addresses are re-routed through their network. Cloud-based services aren’t as concerned about UPnP port masking because they have the resources to inspect and throttle larger attacks and simply absorb smaller ones.
The bottom line is, if a DDoS attack can bring down your network by using randomized ports, it can probably do the same without randomizing ports as well. If DDoS mitigation is a concern for your organization, look to cloud-based services that are equipped to handle the ever-increasing throughput. While UPnP Port Masking may fool some older DDoS prevention methods, the industry as a whole has moved on and focusing on this one trick will distract organizations from the actual threat of a modern DDoS attack.