Using the Universal Plug and Play (UPnP) protocol, attackers can mask the source of a launched DDoS attack and potentially make it harder for the victim organization to mitigate the issue, according to a Monday blog post by Imperva security researchers.

Many DDoS attacks occur when a system is overloaded with incoming network packets. The flood of traffic affects the bandwidth and resources available to the victim application or products, resulting in a denial of service. A DDoS attack is “distributed” due to the incoming traffic from multiple sources.

Typically, DDoS attacks are mitigated with help from a tool that can identify a specific source port and block the traffic associated with that port. However, the UPnP protocol can mask the source port, making it much more difficult to stop the flow of DDoS-associated traffic.

SEE: Information security incident reporting policy (Tech Pro Research)

Using UPnP as a method to alter port mapping, the malicious “payloads would originate from irregular source ports.” This makes tools designed for blacklisting the traffic essentially useless.

“Notably, the evasion method is not limited to DNS amplification, as our own subsequent test showed it to be effective for SSDP, DNS, and NTP attacks,” researchers wrote in the post. “Furthermore, there is no reason to assume that other amplification vectors (e.g., Memcached) will not work just as well.”

So, what is one to do? In the post, researchers noted that a viable alternative for detecting amplification workloads may be deep packet inspection (DPI). Still, that requires more resources and is more difficult to perform at scale.

According to the post, Imperva was working on a proof-of-concept (PoC) attack for the obfuscation technique. Imperva was successful in its tests, but also discovered two attacks in the wild using this method.

One of the attacks happened on April 26, accrued out through an NTP amplification vector. The post noted that the researchers thought the low volume of traffic pointed to a probing attempt, so they published their research to make more people aware of the issue before the practice became more common.

The big takeaways for tech leaders:

  • Attackers are leveraging the Universal Plug and Play (UPnP) protocol to hide where their attacks are coming from, making them harder to mitigate.
  • Older DDoS protection systems that use packet info to defend against attacks may need to be supplemented or updated.