UPnP: Actual security risks of allowing ports below 1024.

[sfx2000]

um no. If you turn on UPNP, you authorize devices to open ports. Depending on the implementation of upnp, it can either open ports to itself or other devices. More secure upnp implementations restrict it to its own device

um... remember SPI firewall - uPNP will open a port to a client, but SPI watches every packet, and only accepts packet in acknowledgement from the client.. so at most, the singular client is at risk, not the whole LAN/WLAN...

 

[Calisro]

um... remember SPI firewall - uPNP will open a port to a client, but SPI watches every packet, and only accepts packet in acknowledgement from the client.. so at most, the singular client is at risk, not the whole LAN/WLAN...

SPI does not stop a reverse proxies because the packets ARE going to the correct device which expose the entire lan.

It would be nice if upnp could easily be restricted by may address so it can be used only where really "required" by dump xboxes or similar devices.

 

[Calisro]

How does this expose the entire LAN?

UPNP port gets open to camera. Camera firmware hacked to add a proxy (about 30 lines of code). Use a tool like proxychains to comnect to that proxy from outside. I can now connect THROUGH that camera and its proxy to an machine on your local lan.

Reference:
http://blog.shekyan.com/ip-camera/

 

[RMerlin]

No, it doesn't - uPNP is client specific, and presents a bit of a threat, but being behind a modern SOHO Router/AP, the SPI firewall and NAT solves that problem.

Next?

My take on UPNP is that if you are running a rogue application that can use UPNP to forward a port, then it's already game over for you. That same application could just connect back to a C&C server, and do the same amount of damage, so you are already compromised, UPNP or not.

So for a home network, UPNP is fine. For a business network, I wouldn't enable that, because your employees could then do silly things to your network setup.

 

[sfx2000]

For a business network, I wouldn't enable that, because your employees could then do silly things to your network setup.

This is actually the best reason why not to enable uPNP - in a small biz network, uPNP has no business being there.

But for Joe Six-Pack at home trying to work his XBox/Playstation, uPNP has it's place...

 

[reerden]

Well, this thread blew up a little. I was trying to see what others opinions were about miniUPnP's default disallowed ports and ended up with a discussion about the security of UPnP itself.

I might have acted a little bit inexperienced in my post to see where the discussion was heading. I do actually have an IT background and know the implications about port forwarding well known ports, just wanted to check out other opinions. Sorry about that.

In my opinion, UPnP has security drawbacks, but so does explaining to family or friends how to forward a port.

And some devices simply don't allow you to set port configuration, like game consoles and some set top boxes. Would have been a lot easier if they did. You don't want to know how many help threads there are online simply because a lot of UPnP services on routers are not functioning correctly.

 

[sfx2000]

Well - I've been taken to the woodshed on this thread..

Got a PM this morning...

snip - edited for content - let's just say it called me (and perhaps others) on some non-social behavior​

Some folks might misunderstand how I approach things - I'm a recovering standards engineer - so I do focus on technical specifics, and that's layer 1-7, and there's times where I engage in layer 8 thru 10 (those are not documents, because standards) - but there are times where I fall back into form..

I will approach a position vigorously at times, but never consider my posts as a direct attack and yes, threads can get heated... and I regretted if afterwords - if someone is offended, well, I'm sorry, and if really hurt... well, not much I can do there.

We're all big kids here - and vigorous debate is good for all - this was a thread that perhaps needed a vigorous debate

Moving forward - I'll try to be "nice" to folks - and if this post earns me the banhammer - the community will go on... with or without me.

 

[Nullity]

sfx2000 - I think reposting a PM is a pretty shady act.

Though, I completely disagree with the PM. You are an asset to the forum (from the posts of yours I have seen).

Attack ideas, not people. People are obviously flawed, there is no counter-argument, lol.

 

[sfx2000]

sfx2000 - I think reposting a PM is a pretty shady act.

ok - that's cool..

This was strike two for me with moderation - just want everyone to be clear with where I am - and I think I wasn't the only one taken into the woodshed as it takes more than one... anyways, I'm inclined to move on...

I've never attacked people - ideas yes, sometimes combatively, but everyone here, just like in standards - I have a huge amount of respect every sub here, and most of us can do lunch/happy hour together, as it's part of a healthy discussion...

 

[Calisro]

"This message is awaiting moderator approval, and is invisible to normal visitors."

Guess this is the banhammer...

no. The spam filter catches key words and triggers it. Try adding fa*ke_hwclock to a post and it'll trigger it. (remove the star)

 

[jdabbs]

"This message is awaiting moderator approval, and is invisible to normal visitors."

Guess this is the banhammer...

Nope, just went into the moderation queue--approved as I see nothing out of line. Since your subsequent comment went through, queue-routing was likely keyword-triggered, as Calisro suggested.

 

[coxhaus]

If you use UPNP, use at your own risk. Once it is turned on anybody can open a port in router including a rogue app. I would never use UPNP. I can open the needed ports.

In the old days a lot of businesses shutdown high level ports above 1024 because there were viruses which used high ports. Low level ports below 1024 were tricky because there were lots of functions used by businesses in the low ports. Now days unfriendly software is much smarter: it can use all kinds of ports and can adapt on the fly so closing ports is not the big deal that it once was. Do not feel secure because you closed some ports. The best thing today is to use an UTM firewall like Untangle, Sophos, etc. if you are really worried.

 

[sfx2000]

Getting back on track to OP's question...

Internet -- SPI Firewall -- NAT -- Single Client

What uPNP does, is that it can open ports - and these can be uplink only, downlink only, or bidirectional... the uplink only isn't really a problem, as the SPI firewall can block that, but it cuts both ways...

A black-hat, can, sufficiently motivated do a couple of things - most common is to DDOS the IP/Port and kick one off a network game - which going back to the xboxen/paystations, is the likely outcome - but some might take it a step further, as many devices can use uPNP to provide services...

And once that port is open, and that device is exposed, you're now dependent on the vendor there to do the right thing - and WebCAM's are a good example of how not to secure a web service on any port - it's not just about ports below 1024 these days, and they've got it automated, and the exploits are well known there.

Most blackhats are going to attack the router directly, as many have issues there...

Going back to uPNP - it's the whole issue of hole punching and trust behind the firewall - and a lot of Home gateways that do uPNP have little security - which means that while some apps might need it, it also pays to

a) firewalls on the clients - Windows/Mac have very effective implementations there, windows by default, macs by option and yes, do enable

b) practice safe-hex - don't depend on that router to close the port when it's done

Between consoles and a couple of VoIP apps, this stuff drives me nuts, and it is something that I do care about.

(let's not get started with VPN's on this thread ok? Security issues there are much worse that uPNP/NAT-PMP)