Originally discovered in December 2019 by Yunus Çadirci, a vulnerability dubbed CallStranger in the Universal Plug and Play (UPNP) protocol takes advantage of a modified UPNP SUBSCRIBE request in order to send responses from UPNP devices to a remote target. Because UPNP has very little authentication or verification of requests, attackers can set an arbitrary remote address in the request headers. UPNP devices will then see this remote address and send the response to the remote address, instead of to the attacker. The size of the response can be significantly larger than the request, which makes this vulnerability likely to be used for traffic amplification in Distributed Denial of Service (DDoS) attacks. The attacker only has to send a small amount of network traffic to cause a much larger volume of traffic to be sent to their intended victim, potentially overwhelming the target’s ability to process the incoming traffic.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in