Attacks/Breaches

5/15/2018
09:55 AM
50%
50%

New DDoS Attack Method Leverages UPnP

'Lock down UPnP routers,' researchers say.

A new DDoS technique is adding a new twist to this common threat and upping the chance that an attack will have an impact on business operations. The new attack leverages a known vulnerability in Universal Plug and Play (UPnP) to get around many of the current defense techniques and swamp a target's network and servers.

The basis of the attack is a DNS amplification technique that bounces a DNS query response to the victim based on a spoofed requester address. In this new DDoS approach, though - detailed by researchers at Imperva - the attack mechanism is a UPnP router that is happy to forward requests from one external source to another (in violation of UPnP behavior rules). Using the UPnP router returns the data on an unexpected UDP port from a spoofed IP address, making it more difficult to take simple action to shut down the traffic flood.

In the original attack and the new proof of concept, a DNS amplification was used, but the researchers note that there's no technical reason that a similar approach couldn't be used in SSDP, DNS, and NTP attacks.

When both source address and port are obfuscated, many current DDoS remediation techniques become ineffective. While deep packet inspection will work against the attack, it's a resource-intensive method that can be both costly and limited. The researchers say that the most effective way to stop this attack method is for organizations to lock down their UPnP routers, taking a weapon out of the hands of attackers.

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11506
PUBLISHED: 2018-05-28
The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer.
CVE-2018-11507
PUBLISHED: 2018-05-28
An issue was discovered in Free Lossless Image Format (FLIF) 0.3. An attacker can trigger a long loop in image_load_pnm in image/image-pnm.cpp.
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.