May 19, 2014 at 5:26 PM #2318
How much of a security risk is UPnP?
The reason I ask is because today I had the Win 7 machine here up, but in SAFE mode (with networking). I was sort of interested in whether it was doing anything on the internet, so was sniffing the internet connection.
The only traffic I saw were inbound packets to port 47400 UDP from a bunch of different locations. All of these seemed to be from probably individuals on broadband locations (altho not sure if that applied to one from Russia).
My router only is supposed to forward inbound traffic for what I have set up in it’s forwarding table, and that particular port did not ring any bells with me. I attempted to forward that port to an IP address I have set for my DMZ, and the router refused because that port was already set for forwarding. Poking around, I found that was because the UPnP was activated, and it’s target was my Win 7 machine on port 47400.
I seem to remember turning the UPnP on in the router setup, supposedly their help file indicated it was needed for discovery of devices (like printers and such) on my network. But, I don’t remember ever setting anything for a particular device or port number on my LAN.
I have disabled the UPnP in the router, everything on my side of the router seems to still be working.
Do I need the UPnP on for anything? If I do have it on, what are the risks of the inbound traffic? FWIW, these seemed to average maybe 4 an hour. At least the Windoze 7 seemed smart enough to not respond to them.May 20, 2014 at 10:13 AM #2320
I’ve been disabling UPnP on my routers for a while, because I heard it was a security risk, but I never knew why.
I just saw this article which says the risk with UPnP is that you’re assuming all applications running on the LAN are trustworthy. Any of them are allowed to temporarily open ports on the router. So if you’re sure you don’t have any malware, UPnP might not be that unsafe.
I haven’t needed to manually open any ports and haven’t noticed any problems. I think it’s usually fine because most firewalls / routers are setup to allow incoming packets for related / established TCP connections.May 20, 2014 at 10:48 AM #2321
I expect that everything on the LAN is clean — but very honestly, I don’t know how to check for that. One reason to sniff the internet traffic at times to see if anything might be going on. Essentially, I am looking for outbound traffic that I can’t explain.
Yesterday, in about a 3 hour period, I was able to log 62 inbound attempts to access something on my IP address. The largest number were directed to port 47400, which is the port that the router had for the UPnP forwarding. Close behind that were attempts to access a web server on port 80.
I do have a couple Mickey Mouse servers running, but they don’t respond to port 80 — you need to access them via a URL that does some port translations. And, there are some amateur radio links that require port forwarding at the router.
Everything here is run on off-beat port numbers.
My primary virus protection on this computer is Avast, which I think is reasonably good. But, it doesn’t catch everything. I have two different software distributions here that SuperAntiSpyware picks up infections on where nothing else does. Complaints to the vendors of those two (well-known) companies has never produced any response — altho one did add a note on their d/l site their software has been scanned by some other virus scanner and was clean.
You must be logged in to reply to this topic.