UPnP comes enabled by default on many new routers. At one point, the FBI and other security experts recommended disabling UPnP for security reasons. But how secure is UPnP today? Are we trading security for convenience when using UPnP?
An example is uTorrent where you can find the options to enable UPnP Port Mapping and NAT-PMP port mapping in is preferences. After enabling UPnP port mapping, it is equally important to make sure that it is working. In uTorrent, the Logger tab shows if the a port has been successfully mapped using UPnP when a download is started. Dec 03, 2016 Linnet's How To Remember to like and subscribe See all my videoes in playlist / categories here https://www.youtube.com/channel/UCmd6xmZpPhJ6I9oe6hn65Hg/pl.
UPnP stands for “Universal Plug and Play.” Using UPnP, an application can automatically forward a port on your router, saving you the hassle of forwarding ports manually. We’ll be looking at the reasons people recommend disabling UPnP, so we can get a clear picture of the security risks.
Image Credit: comedy_nose on Flickr
Malware On Your Network Can Use UPnP
A virus, Trojan horse, worm, or other malicious program that manages to infect a computer on your local network can use UPnP, just like legitimate programs can. Android market for computer. While a router normally blocks incoming connections, preventing some malicious access, UPnP could allow a malicious program to bypass the firewall entirely. For example, a Trojan horse could install a remote control program on your computer and open a hole for it in your router’s firewall, allowing 24/7 access to your computer from the Internet. If UPnP were disabled, the program couldn’t open the port – although it could bypass the firewall in other ways and phone home.
Is This a Problem? Yes. There’s no getting around this one – UPnP assumes local programs are trustworthy and allows them to forward ports. If malware not being able to forward ports is important to you, you’ll want to disable UPnP.
The FBI Told People to Disable UPnP
Near the end of 2001, the FBI’s National Infrastructure Protection Center advised all users disable UPnP because of a buffer overflow in Windows XP. This bug was fixed by a security patch. The NIPC actually issued a correction for this advice later, after they realized that the problem wasn’t in UPnP itself. (Source)
Is This a Problem? No. While some people may remember the NIPC’s advisory and have a negative view of UPnP, this advice was misguided at the time and the specific problem was fixed by a patch for Windows XP over ten years ago.
Image Credit: Carsten Lorentzen on Flickr
The Flash UPnP Attack
UPnP doesn’t require any sort of authentication from the user. Any application running on your computer can ask the router to forward a port over UPnP, which is why the malware above can abuse UPnP. You might assume that you’re secure as long as no malware is running on any local devices – but you’re probably wrong.
The Flash UPnP Attack was discovered in 2008. A specially crafted Flash applet, running on a web page inside your web browser, can send a UPnP request to your router and ask it to forward ports. For example, the applet could ask the router to forward ports 1-65535 to your computer, effectively exposing it to the entire Internet. The attacker would have to exploit a vulnerability in a network service running on your computer after doing this, though – using a firewall on your computer will help protect you.
Unfortunately, it gets worse — on some routers, a Flash applet could change the primary DNS server with a UPnP request. Port forwarding would be the least of your worries – a malicious DNS server could redirect traffic to other websites. For example, it could point Facebook.com at another IP address entirely – your web browser’s address bar would say Facebook.com, but you’d be using a website set up by a malicious organization.
Is This a Problem? Yes. I can’t find any sort of indication that this was ever fixed. Even if it was fixed (this would be difficult, as this is a problem with the UPnP protocol itself), many older routers still in use would be vulnerable.
Bad UPnP Implementations on Routers
The UPnP Hacks website contains a detailed list of security issues in the ways different routers implement UPnP. These aren’t necessarily problems with UPnP itself; they’re often problems with UPnP implementations. For example, many routers’ UPnP implementations don’t check input properly. A malicious application might ask a router to redirect network to remote IP addresses on the Internet (instead of local IP addresses), and the router would comply. On some Linux-based routers, it’s possible to exploit UPnP to run commands on the router. (Source) The website lists many other such problems.
Is This a Problem? Yes! Millions of routers in the wild are vulnerable. Many router manufacturers haven’t done a good job of securing their UPnP implementations.
Image Credit: Ben Mason on Flickr
Should You Disable UPnP?
When I started writing this post, I expected to conclude that UPnP’s flaws were fairly minor, a simple matter of trading a little bit of security for some convenience. Unfortunately, it does appear that UPnP has a lot of problems. If you don’t use applications that need port forwarding, such as peer-to-peer applications, game servers, and many VoIP programs, you may be better off disabling UPnP entirely. Heavy users of these applications will want to consider whether they’re prepared to give up some security for the convenience. You can still forward ports without UPnP; it’s just a bit more work. Check out our guide to port forwarding.
On the other hand, these router flaws are not actively being used in the wild, so the actual chance that you’ll come across malicious software that exploits flaws in your router’s UPnP implementation is fairly low. Some malware does use UPnP to forward ports (the Conficker worm, for example), but I haven’t come across an example of a piece of malware exploiting these router flaws.
How Do I Disable It? If your router supports UPnP, you’ll find an option to disable it in its web interface. Consult your router’s manual for more information.
Do you disagree about UPnP’s security? Leave a comment!
READ NEXT- › How to Use Text Editing Gestures on Your iPhone and iPad
- › Windows 10’s BitLocker Encryption No Longer Trusts Your SSD
- › How to Disable or Enable Tap to Click on a PC’s Touchpad
- › How HTTP/3 and QUIC Will Speed Up Your Web Browsing
- › Motherboards Explained: What Are ATX, MicroATX, and Mini-ITX?
Active5 years, 10 months ago
I have uTorrent 3.3.2 installed on two computers and on both computers it says that the port is not properly forwarded when I do the built-in port test.
I followed this guide to forward the ports.
Do I have to add something in the Source Net field, or just leave it blank? I've applied the settings (Apply Settings) and rebooted the router (Administration, Management, Reboot router) but I still don't get a check mark (pass) on the port test. I also tried changing the Source Net to 0.0.0.0 but to no avail.
I've also checked the Windows Firewall settings. Two exceptions were added when uTorrent was installed, one for TCP and one for UDP. I also tried adding a port exception manually. I even tried disabling the firewall but to no avail.
Are these settings correct? I'm not sure about the Port from, Port to and Source Net fields. And is there another way to check if the port is in fact being forwarded to get a second opinion?
Update 1 - UPnP
Upnp Port Forwarding
I'm not sure if this matters but 'Enable UPnP port mapping' and 'Enable NAT-PMP port mapping' settings were enabled in uTorrent. But on the DD-WRT router, the 'UPnP Service' was disabled. I have now enabled it, and also removed the manual port fortwards I had added earlier. I applied the settings and rebooted the router. Now I can see 'Teredo' in NAT, UPnP, Forwards. So it seems to be doing something, but I still get the yellow check mark in uTorrent when I do the port test. While typing this, another 'Toredo' entry just showed up for the second computer (192.168.0.104).
Update 2 - Now open
Okay, it appears to be open now. I guess enabling the 'UPnP Service' on the router did the trick? Here's what it looks like now in the router settings.
The port appears to be open, both in uTorrent and on yougetsignal.com.
Update 3 - Manual forwarding without UPnP
I'm not sure I want UPnP enabled. Is it safe to have UPnP Service enabled? What kind of implications does that have? Does that mean the router will be dynamically accepting all connections on all ports as they come in? I still want to manually forward the port I want.
I have disabled the UPnP Service. After doing that, the entries in the 'Forward' list (as seen on the screenshot above) were removed. Also, the yougetsignal.com website reports that the port is closed. At the same time, the built-in uTorrent port test reported that the port was still open. I don't trust that, it appears to be a false positive. So I rebooted the router, and now the port is reported as closed in uTorrent as well.
I currently don't have any port forwarding rules under 'Port Forwarding'. Where do I go from here? How do I manually set up a single port forward in DD-WRT without having to enable UPnP Service?
Update 4 - Got it!
I've gone back to square one and I think I got it now. I disabled 'UPnP Service' and added only one forwarding rule for one of the computers under 'Port Forwarding' menu. I then rebooted the router.
Now the built-in uTorrent port test says that the port is closed, but the web based port tester says it's open. I don't trust the uTorrent port test. So I'm pretty sure it's open now, not only because Yougetsignal.com says so, but because I got upload speeds of up to 500 KB/s and that's a good sign that there is outgoing traffic now.
While typing this I've also added a forwarding rule for the second computer and rebooted the router, and after starting up uTorrent on that machine (to begin port forwarding), it too now appears as closed in uTorrent but open on the web based port tester. It was showing up as closed at first, but I solved that by starting uTorrent activity. My guess is that the router was still blocking the port until I got some network activity going on.
Note how there's a small icon in the bottom right corner of uTorrent shows a green check mark. Whatever that means.. This icon used to indicate that the port is open. At least that was the case in uTorrent version 1.6 or so. But now, if I click that icon I get to the port testing dialog, as usual, and if I do the port test I get a yellow check mark and a statement saying that the selected port is closed. Now what do you make of this?.. at the very best it's an ambiguous and inconclusive result. If that tells us anything at all..
I don't know why it didn't work the first time. Looking back at it now, I see that have done everything correctly. Perhaps I forgot to click on the right buttons to get the changes properly registered with the router. There is sort of a 'sequence' you have to go through. You first add the lines for port forwarding, then add the information, click Save once or twice, then Apply Settings, and then reboot. It's like a ritual.
Samir
SamirSamir11.7k6262 gold badges146146 silver badges210210 bronze badges
2 Answers
Automatic - UPnP Service
You can forward the port using UPnP Service (see update 1 and 2 above). This is not really what I want, since I only need to forward a single port (OK, two ports at most). But I'll post a small step by step guide here in case someone else finds it useful.
In uTorrent..
- Open uTorrent.
- Go to Options, then Preferences, and click Connection.
- Make sure Enable UPnP port mapping is enabled.
- Make sure Enable NAT-PMP port mapping is enabled.
- Make sure Add Windows Firewall exception is enabled.
- Make sure Randomize port each start is disabled.
- Note down the port number (i.e. 31090) and click OK.
In DD-WRT settings..
- Open the DD-WRT interface (in my case 192.168.0.1) in a web browser.
- Navigate to NAT/QoS, UPnP.
- Set UPnP Service and Clear port forwards at startup to Enable and click Apply Settings.
- Navigate to Administration, Management, and click on Reboot Router.
Start uTorrent and wait a few minutes. If you have the NAT page open in the router interface you will see when the uTorrent port is successfully forwarded. You can then try running the port test in uTorrent.
(Edit: The built-in port tester in uTorrent is not reliable, as we have concluded above. Use an external resource like a web based port tester, such as yougetsignal.com.)
Enable Upnp Port Mapping
Manual - Port Forwarding
Follow the steps above for uTorrent. Then continue with the steps below.
In DD-WRT settings..
- Open the DD-WRT interface in a web browser.
- Navigate to NAT/QoS, UPnP and make sure the UPnP Service is set to Disable.
- Click on Save, and then Apply Settings.
- Navigate to NAT/QoS, UPnP, Port Forwarding.
- Click on Add button to add a new empty line.
- Type in a name for the rule under Application. This can be anything.
- Select TCP or UDP as Protocol, or select Both.
- Leave the Source Net field blank (unless you have a reason not to).
- Type the port you want to open in the Port from field (remote port).
- Enter the IP Address of the computer you want to forward traffic to.
- Type the port you want to use on the target machine (local port). You can use the same port.
- Check the Enable box and click Save.
- If you need to open more than one port, repeat steps 5 - 12, otherwise go to the next step.
- Click on Apply Settings.
- When you're done adding new ports, navigate to Administration, Management and click on Reboot router.
11.7k6262 gold badges146146 silver badges210210 bronze badges
Are these settings correct?
Yes, they definitely are. You must be sure that the two PCs you're connecting are at those exact addresses, i.e. you didn't accidentally reverse their IPs, and they are either static IPs, or their MACs are hardcoded in the DHCP server configuration. This is to ensure they don't change.
uTorrent should have already configured the Windows firewall as needed (both Port and Application entries).
And is there another way to check if the port is in fact being forwarded to get a second opinion?
You can test this using a program such as
netcat
for Windows, connecting to TCP port 31090 on 192.168.0.103 from 192.168.0.104 and then repeating in the other direction. If connection succeeds, then the PCs are configured correctly (it is possible that a firewall setting allows connecting from the intranet but not from the internet, thus rendering inter-computer testing meaningless; however, I consider this possibility as remote).You can also use
LSerniLSerniwinpcap
(www.winpcap.org) while you run the uTorrent check, to verify that indeed UDP and TCP packages are being sent to the PC (you'll run both uTorrent and winpcap from the same PC you're testing). If you don't see incoming packets, either there's a problem on the DD-WRT (their page says such might be fixed by hard resetting), or your ISP is filtering uTorrent traffic, or the testing site isn't functioning properly. You can verify the filtering hypothesis by having your own machine portscanned.Upnp Port Mapping Table
7,09111 gold badge2121 silver badges4040 bronze badges