DDoS attacks are one of the most popular types of attacks that can bring down a website or a server and put it into inaccessible state for minutes to hours. Although no DDoS attack is able to steal any information, they’re really annoying and from business point of view, it’s a huge loss for a company as every single second is valuable.

There are a number of services and methods to mitigate the classic DDoS attacks. Despite we saw a spike in the size and number of DDoS attacks in the recent past (where “memcached” servers were used to launch terabit DDoS attacks), everything was pretty much under control, until now.

New DDoS method

Recently, a new technique for DDoS is discovered – the UPnP port masking. This method was first detailed last month by security researchers from Imperva. According to their reports, DDoS botnets are recently starting to use the UPnP protocol found on home routers for bouncing DDoS traffic off the router, but alter the source port of the traffic to a random number.

This method successfully evades the previous DDoS mitigation system. Older mitigation system relies on reading the information and because of the new technique, it’s not working anymore. Thus, DDoS botnets are able to successfully hit the target.

However, there’s a way to prevent such an incident by implementing newer DDoS mitigation system that rely on DPI (Deep Packet Inspection). Using this technique, the UPnP DDoS attacks are not able to hit the target. Unfortunately, the price and performance of the better DDoS protection system isn’t so friendly. The method works slower and really costly for users.

UPnP port masking spreads from DNS, NTP to SSDP

Back in May, Imperva researchers reported that they identified botnets that were executing DDoS attacks from NTP and DNS protocols, but disguised the traffic as coming from random ports instead of expected ports (port 53 for DNS and port 123 for NTP).

Recently, a report from Arbor Network confirmed seeing a similar DDoS attack that leveraged the UPnP protocol. However, this time, the method masked the SSDP-based DDoS data packets. It would be easy to defend against SSDP DDoS as identifying data coming from port 1900. As it was behind UPnP, it’s not easily detectable any more.

It’s clearly obvious that we’re going to see more of this attack in the near future as the technique starts to popularize itself among botnet groups. Security companies have to investigate and find out ways to prevent this type of DDoS attack and save the industry.