UPnP: Actual security risks of allowing ports below 1024.

[sfx2000]

Being blunt ... UPnP on a router that allows anyone to get inside your network is universally considered to be a security threat to the person who uses it. The only people who disagree are those who hack for profit (IE those who will happily steal from you and laugh about it) and those who don't know any better.

Oh, you say, these are only people who will play games with my kids and keep them off my back ... even maybe the mfgr said it was OK.

Hackers of the world thank you and wish more were as enlightened as you.

I do get security* - remember, 99.99999% of the users in the world could care less about someone's home network - 1 in a million, and blackhats go where the soft targets are - the big application providers... and they're targeting specific information in those repositories...

That being said - Router/AP's do have risk, Lizard Squad famously used vulns in home gateways to DDOS the Sony Playstation Network along with XBox Live during the Christmas holidays... so pick vendors accordingly there...

Note - Lizard Squad could only access the WAN interface, not items behind the NAT/SPI firewall...

* I'm a larger threat surface than most due to my work on anti-SPAM and anti-Fraud, along with indepth technical knowledge of the 802.1* protocol stacks, along with various WWAN stacks - I worry more about my work network than my home network, the home network is an easy problem to solve...

 

[AdvHomeServer]

Makes me all giddy for the even poorer security practices of the Internet of Things.

I guess if someone figures out how to turn my ROKU into an internet attack ninja, OK they win. (seriously, I THINK, SPI and NAT are in control here, plus massive encryption for certain functions, especially since UPnP is off and my new ROKU works great.) I don't have the same confidence about a smart thermometer or light bulb controller. (Hense pfSense, pfBlockerNG and SNORT for down the road when everyone has smart refrigerators.)

 

[sfx2000]

I guess if someone figures out how to turn my ROKU into an internet attack ninja, OK they win. (seriously, I THINK, SPI and NAT are in control here, especially since UPnP is off and my new ROKU works great.) I don't have the same confidence about a smart thermometer or light bulb controller. (Hense pfSense, pfBlockerNG and SNORT for down the road when everyone has smart refrigerators.)

I think your roku is safe

The smart home stuff, along with connected car, smart meters, body devices (the Personal Area Network), these are things that I do worry about as part of the internet of things - we're going to have many networks that may interact with our WLAN/LAN inside the firewall afforded by our home gateways...

keeps me awake at night..

 

[AdvHomeServer]

There's a lot of bat-shirt insanity in current Firmware builds on common Router/AP's - the key fact that everything runs as a privileged user is one, and even then, there is no privilege separation between the HTTP user vs. the Samba user vs. OpenVPN or uPNPd - design issue, and one that isn't easy to fix overall...

You have discovered marketing. Specifically, balancing ease of use vs the other router mfgr advertising they are easier to use compared to the company that considered security and, thus, chased everyone away for getting too complicated. Dumbing things down while making users feel smart is sales gold. Less important is actually accomplishing real security that can't be explained away by saying 'It's no different from what everyone else does.' If there's a problem the first question to be asked will be 'did you protect your password?' NAT and SPI are it, for now.

 

[sfx2000]

You have discovered marketing. Specifically, balancing ease of use vs the other router mfgr advertising they are easier to use compared to the company that considered security and, thus, chased everyone away for getting too complicated. Dumbing things down while making users feel smart is sales gold. Less important is actually accomplishing real security that can't be explained away by saying 'It's no different from what everyone else does.' If there's a problem the first question to be asked will be 'did you protect your password?' NAT and SPI are it, for now.

I've always known the marketing side wearing my work hat - my day job is Product Development/Systems Design these days, and this is why I do worry about security for our customers...

 

[reerden]

One more thing. Do I need to have "Respond ping request from WAN" enabled for the Xboxes? I've heard that when this is disabled, all ICMP message are blocked and I'm worried it might need things like path MTU to function correctly.

 

[sfx2000]

One more thing. Do I need to have "Respond ping request from WAN" enabled for the Xboxes? I've heard that when this is disabled, all ICMP message are blocked and I'm worried it might need things like path MTU to function correctly.

Should be fine - IMCP outbound from the LAN/WLAN is typically not blocked, and this shouldn't impact MTU path discovery...

 

[reerden]

Should be fine - IMCP outbound from the LAN/WLAN is typically not blocked, and this shouldn't impact MTU path discovery...

So I don't need to respond to inbound ICMP messages like path MTU, fragmentation needed or unreachables? In case a DSL user tries to connect to my hosted game?

 

[sfx2000]

So I don't need to respond to inbound ICMP messages like path MTU, fragmentation needed or unreachables? In case a DSL user tries to connect to my hosted game?

Well, I'm always good with responding to ICMP pings to be honest - some folks are pretty paranoid about this, but they're just ping packets...

Suppressing ICMP can complicate things when dealing with your ISP's customer care team...

And for games on consoles - like you mentioned, ICMP does help...

 

[Calisro]

upnp is a risk in that you are giving the authority to open ports to anyone internally. It is just a convenience and can be disabled if you want to know what apps are allowed to have inbound traffic.

There has been a shift in recents years for hackers hitting home networks since they are eaay targets relative to corporate. We are no longer in the "I have nothing to steal, i'm a home user" era. Home networks are being used to wage attacks (DDOS for example). Think
botnets.

 

[Calisro]

Well, I'm always good with responding to ICMP pings to be honest - some folks are pretty paranoid about this, but they're just ping packets...

Suppressing ICMP can complicate things when dealing with your ISP's customer care team...

And for games on consoles - like you mentioned, ICMP does help...

yep. icmp isn't bad.

 

[reerden]

Well, I'm always good with responding to ICMP pings to be honest - some folks are pretty paranoid about this, but they're just ping packets...

Suppressing ICMP can complicate things when dealing with your ISP's customer care team...

And for games on consoles - like you mentioned, ICMP does help...

Alright, then I'll enable that option again. Let's hope I don't have to restore my settings again (referring to my other thread).

upnp is a risk in that you are giving the authority to open ports to anyone internally. It is just a convenience and can be disabled if you want to know what apps are allowed to have inbound traffic.

There has been a shift in recents years for hackers hitting home networks since they are eaay targets relative to corporate. We are no longer in the "I have nothing to steal, i'm a home user" era. Home networks are being used to wage attacks (DDOS for example). Think
botnets.

Unfortunately, there has also been a trend of "we don't want to give the user an option to change things or set ports in our application". So UPnP is somewhat a necessity (unnecessarily). Luckily I don't have any devices on my network that I don't know or use, so I'm not that worried about it.

 

[Calisro]

Unfortunately, there has also been a trend of "we don't want to give the user an option to change things or set ports in our application". So UPnP is somewhat a necessity (unnecessarily). Luckily I don't have any devices on my network that I don't know or use, so I'm not that worried about it.

I'm not really doubting. but do you have a reference/example?

 

[sfx2000]

upnp is a risk in that you are giving the authority to open ports to anyone internally. It is just a convenience and can be disabled if you want to know what apps are allowed to have inbound traffic.

We've already discussed this in the thread...

 

[sfx2000]

upnp is a risk in that you are giving the authority to open ports to anyone internally. It is just a convenience and can be disabled if you want to know what apps are allowed to have inbound traffic.

There has been a shift in recents years for hackers hitting home networks since they are eaay targets relative to corporate. We are no longer in the "I have nothing to steal, i'm a home user" era. Home networks are being used to wage attacks (DDOS for example). Think
botnets.

No, it doesn't - uPNP is client specific, and presents a bit of a threat, but being behind a modern SOHO Router/AP, the SPI firewall and NAT solves that problem.

Next?

 

[sfx2000]

There has been a shift in recents years for hackers hitting home networks since they are eaay targets relative to corporate. We are no longer in the "I have nothing to steal, i'm a home user" era. Home networks are being used to wage attacks (DDOS for example). Think
botnets.

Not your computers - your gateways/modems - for some, it might be a personal problem, for many, it's an ISP/Carrier Problem...

For the most part - your Windows/OSX devices are very safe, iOS and Android on the WLAN, equally so...

 

[AdvHomeServer]

I do get security* - remember, 99.99999% of the users in the world could care less about someone's home network - 1 in a million, and blackhats go where the soft targets are - the big application providers... and they're targeting specific information in those repositories...

That being said - Router/AP's do have risk, Lizard Squad famously used vulns in home gateways to DDOS the Sony Playstation Network along with XBox Live during the Christmas holidays... so pick vendors accordingly there...

Note - Lizard Squad could only access the WAN interface, not items behind the NAT/SPI firewall...

* I'm a larger threat surface than most due to my work on anti-SPAM and anti-Fraud, along with indepth technical knowledge of the 802.1* protocol stacks, along with various WWAN stacks - I worry more about my work network than my home network, the home network is an easy problem to solve...

I know you're smart about this. The original poster appears to be a little inexperienced. My replies were to him and others who had the same questions as him and, hopefully not, to anyone who noticed any glaring errors in what I wrote. When you see someone on TV answering an obvious question in detail, they're really speaking to the audience, not the person who asked the question who is now having to endure a long winded answer.

 

[Calisro]

No, it doesn't - uPNP is client specific, and presents a bit of a threat, but being behind a modern SOHO Router/AP, the SPI firewall and NAT solves that problem.
Next?

um no. If you turn on UPNP, you authorize devices to open ports. Depending on the implementation of upnp, it can either open ports to itself or other devices. More secure upnp implementations restrict it to its own device.

The problem with upnp is lack of control. Here is a real world example: Foscam cameras. By default they have upnp enabled and ddns. Since you've enabled upnp at the router, as soon as you plug that device in, its a target and internet accessible. Most people don't realize that sinply plugging it in, opens up their network. Gain access to that device (easy/insecure) replace the firnware with a reverse proxy (simple) and you have full access to a network. If UPNP was not enabled on the router, there is no threat "enabled by default.

 

[Calisro]

Not your computers - your gateways/modems - for some, it might be a personal problem, for many, it's an ISP/Carrier Problem...

For the most part - your Windows/OSX devices are very safe, iOS and Android on the WLAN, equally so...

um no. If your network is breached, nothing is safe. The internet of things has made this a problem because of poor security on devices. Windows is "secure" except when people have used their same passwords or email addresses or other private data on other insecure devices. Hackers are gaining access to the crappy devices, gathering "data" like usernames/passwords and then breaching more secure systems (like windows or routers) with that data.

Your turn.

 

[Calisro]

We've already discussed this in the thread...

yep. missed that about "multiple" xboxes. Thanks for the hospitality.