LISTSERV 16.0 - MSUNAG Archives

That brings up the whole discussion of whether or not ISPs should be involved in blocking ports for the unaware masses.  My personal opinion is that they should, but it would be nice if they offered an option to remove the filtering on a per-customer basis.  Port 1900 troubles aren't anything new, either.  This was a big issue a decade ago and there was a big stink made about it.  XP machines directly attached to the internet were getting compromised, and some (but not all) ISPs decided to do their part in protecting their users.  Here we are, a decade later, and roughly 80 million IPs responded to UPnP requests.  Cox may be filtering 1900, but I don't think every big ISP is dealing with this.  I'm not seeing info from Comcast or AT&T regarding port 1900, but it might be buried in the sea of web pages about the decade old issue.  Verizon (not wireless) seems to be attacking this at the hardware level, rather than blocking port 1900.  It would be nice if ISPs took care of this, but they aren't required to.

-----Original Message-----
From: David Graff [mailto:[log in to unmask]] 
Sent: Wednesday, February 20, 2013 10:04 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] UPnP Router Vulnerability

In that vein, we have seen plenty of routers over the years that expose
their administration page over the outward interface on 80/443 and that is a
big reason why ISPs are blocking those ports on residential connections.
It's trivial to control uPnP's behavior at the ISP level in the same way.

I found documentation from Cox saying they do this, I would assume all the
big names have similar policies.

http://ww2.cox.com/residential/centralflorida/support/internet/article.cox?articleId=cacf82f0-6407-11df-ccef-000000000000

On Wed, 20 Feb 2013 08:16:53 -0500, Kwiatkowski, Nicholas
<[log in to unmask]> wrote:

>I think one of the vulnerabilities is that UPnP was accessible from the
external interface, not just the internal one (like it supposed to be). 
This would allow a remote attacker to map ports to internal machines without
the end-user knowing to GAIN access to their system.  There were even some
cheap routers that allowed you to turn off UPnP on the internal interface
(and claimed it was turned off), but it still answered requests on the
external interface, allowing the attacker to do things like map ports,
change passwords on the device and cause other havoc.
>
>-Nick