Announcement

Collapse
No announcement yet.

UPNP, "Standards" and hardware that implements it

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    UPNP, "Standards" and hardware that implements it

    I've been writing a program in Java that is really just a robust front end for the use of GitHiub Gists, providing a nice interface for developers to organize, maintain and access code snippets that we tend to need from time to time in our different projects.

    One of the features of the program is the ability for people to share their Gists with others who use the program over a LAN or over the Internet. The program just basically serializes a Java class and encrypts it then wraps it into a UDP datastream and sends it over to another user.

    So I decided to implement UPNP into the code for those scenarios when a user is behind a UPNP capable router.

    The router I've been using to test my code is a Netgear XR1000, which is one of their high end gaming routers built on the DumaOS operating system, but I've been having some rather serious issues with this router and the way it responds to UPNP broadcasts which my code sends out - looking for a response so it can know where the router is and so it can send other UPNP commands to the router.

    Specifically, the problem I'm seeing with this router, is that it does not respond to every broadcast packet. In fact, I was seemingly getting no response at all so I wrote a small program that does nothing but send out these broadcast packets every 5 seconds, while another class listens for any responses and then I let that program run for like an hour while I recorded router replies in a database along with the time that elapsed between actual router responses. While that program was running, I also had a wireshark session running so that I could compare what I saw in the data with captured packets coming from the router - filtered for UPNP responses.

    The results of the test were insanely troubling.

    As this code continued to send broadcast packets every 5 seconds, I would expect a properly designed router to send a single response to EVERY packet that I sent out. Instead, what I got back from the router was a response with no pattern that could be seen ... sometimes it would respond once every 3 to 5 minutes ... and sometimes it would even go a full hour before it ever responded.

    I pulled down the defined UPNP standards from the IEEE web site (I believe) and though the language in the standard does not emphasize that a device which implements UPNP must respond to every broadcast seeking service announcement, it does define the amount of time that is allowed to transpire between the moment when a device sees that packet and when that device can respond to that packet and the allotted time for responding was something like up to 5 seconds with some leeway being permitted for various reasons.

    It seemed to me that even though the standard does not mandate a one for one response, that is certainly IMPLIED by the fact that there is a rigid definition of time allotted for response delay.

    So I decided that I wanted to bring my observations up with Netgear so before I created a trouble ticket, I figured I better get my ducks in a row. So in the interest of being thorough, I repeated my test starting with the first release of router firmware for this router then after running the test and collecting data for about an hour and a half, I would then flash the next version of the firmware and repeat the test - then I kept doing this until I the router was on the latest released firmware.

    I compiled the data into some nice looking spreadsheet charts and I wrote up a description of everything that I saw and what I did and put it all into a PDF then I created a ticket which ended up being a total joke. Their tech support was less than accommodating and ended up closing my ticket after a LOT of back and forth where the ticket was seemingly escellated to someone who simply asked me if I power cycled the router but then when I didn't respond within two days, they just closed the ticket.

    Talk about frustrating!

    I do have another Netgear router which is a few years older than this one and I repeated my test with that router, and the results were what I expected to see with this router - I got one response for EVERY packet that I sent out.

    So really what my question is ... does anyone know if a one-for-one response would be something that is either assumed to be true as a definition in the standard or if the behavior that I'm seeing would still qualify the router as being compliant with the standard? Because I'm considering whether or not I should take this issue up with the standards committee and see if I can get any kind of interest on that level who might have inroads into Netgear that I don't have access to in order to get their firmware fixed.

    But I'm kind of at a loss as to know where to go or who to take my case to in order to get Netgear to address this issue.
    Last edited by EasyGoing1; 07-16-2022, 07:19 PM.

    #2
    Re: UPNP, "Standards" and hardware that implements it

    They are too busy making things look cool and slowly patching security vulnerabilities to care about that kind of bug.
    "It's a feature anyway, a gaming router ignoring a stream of unnecessary packets."
    If you are going to complain make sure you use UPnP not UPNP.

    Comment


      #3
      Re: UPNP, "Standards" and hardware that implements it

      I'm not good at networking but this whole automatic port forwarding thing is problematic as far as I know. I had one recent TP-Link router which was extremely glitchy with it's upnp. The most popular open source home router firmware, OpenWRT, doesn't have UPNP at all, as far as I know, it's possible to install it, but the guide is buried somewhere in their documentation and they kind of tell people not to use it. The idea is that a malicious program could go ahead and open a port to the outside world, or a poorly written one could leave ports hanging open.

      Comment


        #4
        Re: UPNP, "Standards" and hardware that implements it

        wasnt uPNP seen as a security risk?

        Comment


          #5
          Re: UPNP, "Standards" and hardware that implements it

          Originally posted by stj View Post
          wasnt uPNP seen as a security risk?
          Yes ... and kinda ...

          Originally posted by ribcage View Post
          I'm not good at networking but this whole automatic port forwarding thing is problematic as far as I know. I had one recent TP-Link router which was extremely glitchy with it's upnp. The most popular open source home router firmware, OpenWRT, doesn't have UPNP at all, as far as I know, it's possible to install it, but the guide is buried somewhere in their documentation and they kind of tell people not to use it. The idea is that a malicious program could go ahead and open a port to the outside world, or a poorly written one could leave ports hanging open.
          So here's the thing with UPnP and security.

          First off, UPnP is a feature that exists on your firewall, and it is a free and open service that is only available to your PRIVATE network (people on the Internet cannot access your firewalls UPnP service).

          It allows any network connected computer / device etc. to open a port from the Internet back to itself.

          This matters because devices like the XBOX will need to be able to receive packets from the Internet that are destined to the XBOX in situations where the XBOX didn't specifically make a request for those packets. This is an important thing when gaming online because the gaming servers need to tell your xbox things such as - this person fired this bullet at you etc. etc. and your xbox if it had to query the server for every new update during the game, you can imagine what kind of lag that would cause, so it's important to be able to have a port opened on your firewall so the gaming servers can initiate contact with the xbox.

          Another common reason for port mapping, would be if you wanted to host a web server inside your house, you would need to open up port 80 on the public interface of your firewall and tell your firewall that any traffic coming from the Internet on port 80 needs to get forwarded to a specific private IP address (192.168.1.x) that is inside your building.

          UPnP was created because trying to teach the average user how to map a port back to a device on their network proved to be a very difficult thing to do. It's difficult enough trying to get people to grasp the concept, much less teach them how to map ports in firewalls. So UPnP made the process simple by allowing a method for devices to map their own ports.

          But since it is a service that offers no challenge to the device opening the port (meaning it doesn't ask for a username / password), then YES, any device or program that is running on a device that is attached to your network can create a port mapping from the public side of your firewall back to itself.

          IN TERMS OF RISK, if you wanted to make a statement that you are potentially vulnerable to attacks via malicious software opening a port back to your device, then you have to first explain how that malicious software got onto your device in the first place. And these days especially, if you're operating systems are all updated with the most recent patches, then the possibility of unknowingly downloading such software ranges from slim to none.

          So YES, there is a risk because it's an open platform, but the probability that you could ever be exploited by something using that method ... well ... you'd have better luck winning the lottery than ever being harmed by rogue software exploiting your UPnP service in your firewall.

          The people on OpenWRT forums are standard Network Engineer types and because they want to limit their own liability they will always say it's a bad idea to use UPnP, but I think it could be said that they are being overly paranoid.

          I've installed UPnP on OpenWRT before, it's not that difficult. If you need some help, let me know.
          Last edited by EasyGoing1; 01-06-2023, 05:43 AM.

          Comment


            #6
            Re: UPNP, "Standards" and hardware that implements it

            Originally posted by diif View Post
            If you are going to complain make sure you use UPnP not UPNP.
            You're gonna bust my balls over type case?

            Comment


              #7
              Re: UPNP, "Standards" and hardware that implements it

              so in short, devices can configure tunneling or forwarding on the router.
              ?

              Comment


                #8
                Re: UPNP, "Standards" and hardware that implements it

                UPnP should have been a standard for a while and its sole purpose is indeed to be able to punch holes in the router to allow for incoming port forwarding/NAT.

                I've only experienced one UPnP router, my friend's FiOS router. I was able to use a upnp library in Linux to punch arbitrary holes, most notably, be able to open a port so that I can ssh to their machine and set up a webserver.

                This is risky. Any arbitrary piece of software on the LAN can open one port, two ports, hundreds of ports to any machine on the network. So yes, you can make one machine open a port forward to another machine, delete mappings for other machines, and hijack mappings to different machines. So these abilities...yes this is a security hole.

                However if you know trust all the UPnP software you have, it's not that much more insecure than any other piece of software, it's a "local" exploit (unless if you download a trojan horse.)

                Unfortunately UPnP is a somewhat elegant solution to solving the NAT problem, however, it require that security override and router support. So software devs ended up opting for client-server operation requiring an intermediate to solve peer to peer connectivity, since NAT does not require any incoming port forwarding.

                Easier, alas, requires that server to feed all the data through it instead of just metadata.

                Comment


                  #9
                  Re: UPNP, "Standards" and hardware that implements it

                  Originally posted by EasyGoing1 View Post
                  You're gonna bust my balls over type case?
                  You're a network professional going on a half page rant about some garbage consumer junk that you know is junk, you'd know if I was busting your balls.

                  Comment


                    #10
                    Re: UPNP, "Standards" and hardware that implements it

                    Originally posted by EasyGoing1 View Post
                    This is an important thing when gaming online because the gaming servers need to tell your xbox things such as - this person fired this bullet at you etc. etc. and your xbox if it had to query the server for every new update during the game, you can imagine what kind of lag that would cause, so it's important to be able to have a port opened on your firewall so the gaming servers can initiate contact with the xbox.
                    I doubt that's how it works on xbox, it's certainly not how it works on most PC games. On PC, usually only the server needs to allow incoming connections, then you can try to connect and after the server accepts your connection, there is constant exchange of data between you and the server, so there's no need to re-initiate the connection every time someone fires a bullet. I think most games use UDP packets for things like shooting and moving around, because there is no point in resending packets if they get lost, because by then it's already too late. Again, my networking knowledge sucks.

                    Originally posted by EasyGoing1 View Post
                    But since it is a service that offers no challenge to the device opening the port (meaning it doesn't ask for a username / password), then YES, any device or program that is running on a device that is attached to your network can create a port mapping from the public side of your firewall back to itself.
                    I think a confirmation by the user would be a pretty good solution.

                    Originally posted by EasyGoing1 View Post
                    I've installed UPnP on OpenWRT before, it's not that difficult. If you need some help, let me know.
                    I was once about to flash my cheap TP-Link router with OpenWRT because the stock firmware was glitching, but I wanted UPnP and PPTP VPN passthrough/GRE or whatever it's called, and the OpenWRT documentation was just too vague about these things and I didn't want to risk not getting it to work, so I just updated the stock firmware which fixed most problems...

                    Originally posted by eccerr0r View Post
                    This is risky. Any arbitrary piece of software on the LAN can open one port, two ports, hundreds of ports to any machine on the network. So yes, you can make one machine open a port forward to another machine, delete mappings for other machines, and hijack mappings to different machines. So these abilities...yes this is a security hole.
                    I just tried it on my TP-Link router, and I couldn't open ports for other IPs on the LAN. I used UPnP PortMapper (https://sourceforge.net/projects/upnp-portmapper/). Maybe it behaves differently on each UPnP implementation.

                    EDIT: Guess what... I was not able to map ports for other IPs, but I was able to delete mapping for other IPs!... Wow.
                    Last edited by ribcage; 01-15-2023, 04:05 AM.

                    Comment


                      #11
                      Re: UPNP, "Standards" and hardware that implements it

                      Originally posted by ribcage View Post
                      I doubt that's how it works on xbox, it's certainly not how it works on most PC games. On PC, usually only the server needs to allow incoming connections, then you can try to connect and after the server accepts your connection, there is constant exchange of data between you and the server, so there's no need to re-initiate the connection every time someone fires a bullet. I think most games use UDP packets for things like shooting and moving around, because there is no point in resending packets if they get lost, because by then it's already too late. Again, my networking knowledge sucks.
                      UDP would be the obvious choice since error correction would be a moot point in an online fast passed gaming environment. And in terms of a gaming device needing to map ports back to itself, I'm not quite sure how it (gaming console or PC) would be able to establish a connection such that the gaming server would be able to send packets back to the device that the device did not request outside of port address translation which is what UPnP provides to devices. Unless there is a tunnel established, there would be no way for a server to notify a console (or a PC) that a bullet was fired by another user outside of having a port mapped back to the console (or PC) via UPnP (or manually adding the translation rule in the firewall which is not what most people understand which is why UPnP was created in the first place). And having a nailed-up tunnel is a ton of overhead that would make the entire online gaming experience next to impossible to be done in any sense of "real-time". But maybe there might be some kind of custom protocol being implemented with PCs to gaming servers that establish some kind of a light tunnel that permits un-requested packets to travel in both directions, but I'm not familiar with any tech like that. Are you positive that your PC does not utilize UPnP in a fast-paced online gaming environment?

                      Originally posted by ribcage View Post
                      I think a confirmation by the user would be a pretty good solution.
                      Sure it would ... but then how does the router prompt that response from the user? What software needs to be running on the users PC or console so that a router-initiated prompt like that could even be presented in the first place much less responded to? That has a huge hole in it ... meaning if the appropriate software isn't on the users console or PC, does the router then just ignore the request for the port mapping? They had to draw a line somewhere and they errored on the "usability" side of that line ... not to mention the complexity that would be added to UPnP in general just in implementing a user response method in the first place.


                      Originally posted by ribcage View Post
                      I was once about to flash my cheap TP-Link router with OpenWRT because the stock firmware was glitching, but I wanted UPnP and PPTP VPN passthrough/GRE or whatever it's called, and the OpenWRT documentation was just too vague about these things and I didn't want to risk not getting it to work, so I just updated the stock firmware which fixed most problems...
                      GRE tunnels are an oxymoron in it of themselves. They are intended to be a simplistic means of creating tunnels where end points don't need to be rigidly defined (changing IP addresses being the main reason why they exist in the first place) yet when it comes to actually configuring a router for a GRE tunnel, the configuration is anything but simple. I never had much luck with them and always reverted to nailed tunnels - implementing dynamic DNS in situations where the IP address of an end point ever changed, but even those tunnels could only be established from a single direction since they won't accept inbound traffic from an unknown IP address.

                      Originally posted by ribcage View Post
                      EDIT: Guess what... I was not able to map ports for other IPs, but I was able to delete mapping for other IPs!... Wow.
                      From a UPnP engineers perspective, allowing a different device to over-rule a port map that the router already has in its mapping tables might make sense.

                      Let's say that the IP address of your XBOX has changed because it was rebooted or whatever ... and it needs to PAT port 56000 ... but 56000 is already PATted from a different private IP address, the router has no way of confirming that the original IP address still needs access to that port, so it defers to the device that is most recently requesting changes in that port mapping ... which makes sense to me.

                      It should also be noted that removing a port mapping before requesting a map is not only common, it's kind of "best practice" where a device ensures that it cleans up its own mess before making port mapping requests. Otherwise, if it just made requests for a new port mapping before removing any past maps, when its IP address is different (because of the reboot etc.) it might be inadvertently leaving port mappings open to a different IP address that might be live which would be a security issue. So allowing any device to remove a port map would be the most secure way to implement dynamic port mapping in the first place. Better to let something remove a map than to allow any willie nilly mapping to any IP address.

                      Deleting mappings is not a security hole ... but allowing any device to map ports to any other device IS a security hole.
                      Last edited by EasyGoing1; 01-25-2023, 09:12 AM.

                      Comment


                        #12
                        Re: UPNP, "Standards" and hardware that implements it

                        Originally posted by eccerr0r View Post
                        This is risky. Any arbitrary piece of software on the LAN can open one port, two ports, hundreds of ports to any machine on the network.
                        It shouldn't be possible for a private IP address to map ports to an IP address that is different than the IP assigned to the requesting device. I believe the UPnP standard is defined such that only the requesting IP can map ports back to itself.

                        This of course isn't any rigid kind of security, but it would make it a lot harder for a hacker to exploit a single machine then provide themselves unrestricted access to every IP in a given private subnet.

                        Comment


                          #13
                          Re: UPNP, "Standards" and hardware that implements it

                          Originally posted by diif View Post
                          You're a network professional going on a half page rant about some garbage consumer junk that you know is junk, you'd know if I was busting your balls.
                          I've seen UPnP, UPNP and upnp used even in professionally published documents before. You are TECHNICALLY correct but in the context of a BadCaps forum? PLEASE!

                          Comment


                            #14
                            Re: UPNP, "Standards" and hardware that implements it

                            Originally posted by EasyGoing1 View Post
                            It shouldn't be possible for a private IP address to map ports to an IP address that is different than the IP assigned to the requesting device. I believe the UPnP standard is defined such that only the requesting IP can map ports back to itself.

                            This of course isn't any rigid kind of security, but it would make it a lot harder for a hacker to exploit a single machine then provide themselves unrestricted access to every IP in a given private subnet.
                            that's the thing, it "shouldn't" but I've seen one implementation that does allow it, whether it delete and recreate or whatnot... and not only that, this all can be spoofed so this is sort of something that can't be avoided.

                            Comment


                              #15
                              Re: UPNP, "Standards" and hardware that implements it

                              Originally posted by EasyGoing1 View Post
                              I've seen UPnP, UPNP and upnp used even in professionally published documents before. You are TECHNICALLY correct but in the context of a BadCaps forum? PLEASE!
                              Perhaps they were written my someone that didn't know.
                              You're bigly missing the point though.

                              Comment


                                #16
                                Re: UPNP, "Standards" and hardware that implements it

                                Originally posted by eccerr0r View Post
                                that's the thing, it "shouldn't" but I've seen one implementation that does allow it, whether it delete and recreate or whatnot... and not only that, this all can be spoofed so this is sort of something that can't be avoided.
                                If the service in the firewall was written to the published standard, the router won't accept a port mapping to any IP address other than the requesting IP address.

                                Im not sure what you mean by "spoofing", but if you're suggesting that someone from the Internet could somehow create a port map without first obtaining access to a machine in the private network, then whoever designed that firewall / router should be publically flogged because there is no path to that service from the external interface on a firewall. But again, this assumes that the firewall was coded according to standards.

                                Comment


                                  #17
                                  Re: UPNP, "Standards" and hardware that implements it

                                  Originally posted by diif View Post
                                  Perhaps they were written my someone that didn't know.
                                  You're bigly missing the point though.
                                  What is your point then? What damage is done by using upnp vs UPnP vs uPnp or any variation thereof?

                                  Comment


                                    #18
                                    Re: UPNP, "Standards" and hardware that implements it

                                    Originally posted by EasyGoing1 View Post
                                    What is your point then? What damage is done by using upnp vs UPnP vs uPnp or any variation thereof?
                                    Have you disabled Dos Protection ?

                                    Comment

                                    Working...
                                    X