Security researchers are continuing to see DDoS attacks that leverage the UPnP features of home routers to alter network packets and make DDoS attacks harder to detect and mitigate with classic solutions.

The UPnP port masking technique is a new one and was first detailed last month by security researchers from Imperva.

Imperva staff reported that some DDoS botnets had started using the UPnP protocol found on home routers to bounce DDoS traffic off the router, but alter the traffic’s source port to a random number.

By changing the source (origin) port, older DDoS mitigation systems that relied on reading this information to block incoming attacks began failing left and right, allowing DDoS attacks to hit their intended targets.

Newer DDoS mitigation systems that rely on deep packet inspection (DPI) are capable of detecting these types of attacks that use randomized source ports, but these are also more financially costly for users and also operate slower, taking more time to detect and stop attacks.

UPnP port masking spreads from DNS and NTP to SSDP

Back in May, Imperva researchers said they’ve seen botnets executing DDoS attacks via the DNS and NTP protocols, but using UPnP to disguise the traffic as coming from random ports, and not port 53 (DNS) or port 123 (NTP).

Back then, Bleeping Computer anticipated that the tactic would become more popular among botnet authors. This premonition became true yesterday when in a report released by Arbor Networks, the company reported on seeing similar DDoS attacks that leveraged the UPnP protocol, but this time the technique was used to mask SSDP-based DDoS…