This is related to SSDP / UPNP and is a UDP amplification attack similar
to the DNS and SNMP UDP attacks. Basically someone forges an IP source
on a udp packet and sends it to port 1900 on the router and the router
sends some larger amount of data back to the forged ip.
This port should not be enabled on the WAN interface, the router should
only be listening on the WAN, but it appears several vendors have this
issue. There may be a firmware patch, or turning of UPNP may fix the issue.
The shadowservers reports will give you reports of open UDP ports on
your network that can be used for amplification attacks.
https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
~Duncan
On 9/26/2014 10:41 AM, Bill Prince via Af wrote:
Got a report from someone that had traced a DDoS attack coming from
one of our subscribers. It claimed the IP was going out on port 1900
to various and sundry IPs as part of a distributed attack.
I ran a torch on the IP, and sure enough, a bunch of connections were
going out on port 1900.
Talked to the customer, and eliminated all their PCs/phones/etc. one
by one, at which point it was only their Dlink router connected to the
net.
Turning it off stopped the outbound traffic. Just to be sure, we
re-connected the customer's wired PC, and no traffic.
So at this point, it appears that there was some sort of malware
loaded on their Dlink. It's a DIR-655.
Anyone else seeing this? Seen it? Other comments?
