10-02-2018 06:25 AM
10-02-2018 07:07 AM
We are seeing a round of distributed scans/attacks on 10001 in our logs this morning. Someone is aware of how to exploit this and the attacks are increasing rapidly. Here is a snip of 1 second of the log file.
10-02-2018 09:51 AM
10-03-2018 05:48 PM
10-03-2018 05:59 PM
@mhoppes, my best guess is that it's a UDP amplification attack used as part of a botnet for targeted DDoS attacks. Sending a small UDP packet to the devices on 10001 will return a much larger UDP response to whatever they report as the source address. In this case the address of the DDoS victim.
10-04-2018 05:50 AM
10-04-2018 06:44 AM - edited 10-04-2018 02:29 PM
@aaronjclarkit's definitely what it seems like. A quick look at shodan.io shows almost 1 million ubiquiti devices online, reachable via the public IP. As far as things go though it seems like a very weak amplification attack. Previous wide scale amplification attacks averaged a 1000bytes+ per 56byte packet, spending 56bytes to get 206 'seems' inefficient to me.. Shodan seems to scrape all radio data, though. Like it's using discovery to fetch it.
10-31-2018 08:29 AM
@UBNT-SNK Any true fix for this yet outside of blocking port 10001? Also, while I have not fully confirmed it yet, I recently have had 2 CPEs exhibit the same symptoms even though I have had this port blocked for several months. Has there been a change on the attack vector?
Blocking 10001 from the WAN won't break UPNP. Further, it shouldn't be listening on the WAN to begin with. How hard is it to bind only to the LAN interface...
Oh, breaks NAT-T.. Yeah, that's annoying
For sure, upnpd should not be listening on the WAN
This is not even config 101. This is remedial, elementary config guys