How Attackers Exploit UPnP to Bypass DDoS Defenses with Obfuscated Source Ports

Recent distributed denial‑of‑service (DDoS) attacks have demonstrated a new technique that evades existing defenses by obscuring source‑port data, making traditional port‑based filtering ineffective.

Security vendor Imperva reported that, beyond common amplification methods, attackers are leveraging the Universal Plug and Play (UPnP) protocol—a UDP‑based discovery service on port 1900 that also permits control over arbitrary TCP ports. Many IoT devices expose UPnP on local networks, and the protocol often lacks authentication, creating a significant security risk.

Historically, UPnP vulnerabilities have been disclosed for more than two decades. In addition to remote code execution flaws, the Simple Object Access Protocol (SOAP) API can be used to reconfigure devices remotely. The AddPortMapping command, invoked via SOAP, can modify a router’s port‑forwarding rules without proper validation.

On 11 April 2018, while mitigating an SSDP‑based amplification attack, Imperva observed payloads originating from unexpected source ports rather than the usual UDP 1900. A similar incident followed weeks later. This prompted the creation of a proof‑of‑concept (PoC) that can fuzz source‑port information for any amplification payload.

To launch a DNS‑amplification attack with this PoC, an attacker first scans the Internet (e.g., using Shodan) for open UPnP routers. Such scans can identify over 1.3 million devices, and vulnerable routers can be automatically filtered with scripts.

The attacker then retrieves the device’s rootDesc.xml via HTTP, replacing the “Location” IP with the target’s IP address.

From the XML description, the attacker issues an AddPortMapping SOAP request to create a rule that forwards all UDP packets sent to port 1337 to UDP 53 (the DNS port) on an external DNS server (e.g., 3.3.3.3).

Most routers do not verify whether the internal IP specified in the rule is truly internal, allowing external IPs to be used and effectively turning the router into a proxy.

For the obfuscated DNS amplification, DNS requests sent to the compromised device on UDP 1337 are forwarded to the DNS resolver on UDP 53. The resolver replies from UDP 53 to the device, which rewrites the source port back to UDP 1337 and forwards the response to the original (spoofed) victim.

In a real attack, the initial DNS request appears to originate from the victim’s spoofed IP, so the amplified response is delivered to the victim, completing the DDoS while bypassing source‑port‑based filters. This technique can also be applied to SSDP and NTP attacks and combined with other amplification vectors such as Memcached. Detecting such traffic typically requires deep‑packet inspection, which is resource‑intensive and may be slow without dedicated mitigation hardware.