UPnP Service disabled by default

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
ahtoh
DD-WRT Novice


Joined: 09 May 2015
Posts: 17

PostPosted: Mon Jun 15, 2015 5:45    Post subject: UPnP Service disabled by default Reply with quote
Hi,
I discovered today that UPnP Service is disabled by default.
This is kind of wrong. UPnP is essential feature for any router and has to be enabled by default.

I'm wondering if there any other settings that I should enable/change after flashing to dd-wrt?
Sponsor
MDA400
DD-WRT User


Joined: 10 Jan 2015
Posts: 270
Location: Minnesota

PostPosted: Mon Jun 15, 2015 9:28    Post subject: Reply with quote
Its not "essential" and unless you have programs you know rely on UPnP, there are security risks involved as a program can masquerade itself over a UPnP port and gain control of your network.

DD-wrt's implementation is certainly more secure than outdated mini-UPnP versions, but treat it as a bouncer in front of your night club. Its only good till its compromised.

Port forwarding is generally safer, but if you need multiple devices on the same port (Xbox live for instance) then it is necessary. For those reasons, its better disabled by default.
cdmarshall
DD-WRT User


Joined: 09 Jul 2014
Posts: 308

PostPosted: Mon Jun 15, 2015 14:39    Post subject: Reply with quote
UPnP is also a security Risk so those of us security minded don't use it at all and port forward to specific devices when needed. There are limited (although important) reasons to enable UPnP Thus the default is off and if you have on of those specific needs or security of your network is not a huge concern then you can turn it on.
_________________
EA-6900
Asus 68U
ahtoh
DD-WRT Novice


Joined: 09 May 2015
Posts: 17

PostPosted: Mon Jun 15, 2015 15:32    Post subject: Reply with quote
Can you please elaborate a bit on the security concern?
My understanding is it's just a port forwarder and it is operated only from internal network, so you cant trigger an open port from outside, right?
cdmarshall
DD-WRT User


Joined: 09 Jul 2014
Posts: 308

PostPosted: Mon Jun 15, 2015 15:41    Post subject: Reply with quote
The security concern is if you get a virus it can request any port and request the data be sent to it over that port forwarded by the firewall automatically. thus giving them easy access. the other issue is poorly written software ( there is a lot) that can request UPnP and can easily be hacked.
_________________
EA-6900
Asus 68U
ahtoh
DD-WRT Novice


Joined: 09 May 2015
Posts: 17

PostPosted: Mon Jun 15, 2015 23:42    Post subject: Reply with quote
Is it hypothetical only or based on some statistics?
Don't you think it's wrong way to protect from viruses?
I doubt there will be significant difference once you get a virus in the first place.
In other words, you're closing 1% while having 99% of the hole open.
MrDoh
DD-WRT Guru


Joined: 04 Dec 2012
Posts: 647

PostPosted: Tue Jun 16, 2015 1:10    Post subject: Reply with quote
I'm very happy that UPnP is off by default. First thing that I turn off it's on by default. You can read about why on the internet. Try googling "UNnP risky?" and read some of the results that you get.
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Jun 16, 2015 4:02    Post subject: Reply with quote
To be perfectly honest, just like the ping of death exploit a number of years ago led to an ingrained and irrational fear whereby most people disable wan originating pings, two exploits in some upnp implementations a few years back has created a fear over the use of upnp.

The first exploit involved win xp and the second involved a number of routers allowing wan side port control. The win xp exploit was addressed and the second does not affect ddwrt. http://www.kb.cert.org/vuls/id/922681

Beyond these concerns people always bring up the possibility of an infected computer being allowed to open ports and a possible flash exploit. If your computer is already infected then honestly disabling upnp is too little too late. As for the flash exploit I have not heard of any real world or lab cases in years. Go ahead and Google upnp exploits and see if you can find anything current.

So personally I have no reservations about enabling wan side pings or upnp but you will have to decide for yourself
cdmarshall
DD-WRT User


Joined: 09 Jul 2014
Posts: 308

PostPosted: Tue Jun 16, 2015 13:20    Post subject: Reply with quote
Like I said some dont some do I use it when I need to and dont when Port forwards work. Like I tell people all the time its all about risk mitigation. You always take risks just dont take ones you dont need to.
_________________
EA-6900
Asus 68U
MrDoh
DD-WRT Guru


Joined: 04 Dec 2012
Posts: 647

PostPosted: Tue Jun 16, 2015 17:13    Post subject: Reply with quote
Given that some people use it and some don't need it, I think that off by default is the right choice. As JAMESMTL said, you can turn it on if you want it for configuration reasons. As it is, I always look at it after flashing to make sure that it hasn't gotten flipped on somehow by the flashing process. So I could as easily turn it off as on. Since it's off by default, and if I forget to look, chances are really high it will be off, eliminating a risk I don't need.
ahtoh
DD-WRT Novice


Joined: 09 May 2015
Posts: 17

PostPosted: Tue Jun 16, 2015 17:16    Post subject: Reply with quote
cdmarshall wrote:
Like I said some dont some do I use it when I need to and dont when Port forwards work. Like I tell people all the time its all about risk mitigation. You always take risks just dont take ones you dont need to.


You better disconnect your modem now, there is a risk out there!
It's about risk mitigation!
p.s. What you're going to do when ipv6 rolls out?
cdmarshall
DD-WRT User


Joined: 09 Jul 2014
Posts: 308

PostPosted: Tue Jun 16, 2015 17:38    Post subject: Reply with quote
You seemed to miss parts of my statement "I use it when I need to and dont when Port forwards work" you never get rid of all the risks you have to way the pros and the cons. UPnp has its issues so I only use it when it is needed. Just like I would not connect to the internet without a firewall. You need to be on the net but you should do what you can to limit the risk while still getting done what you need to.
_________________
EA-6900
Asus 68U
MrDoh
DD-WRT Guru


Joined: 04 Dec 2012
Posts: 647

PostPosted: Tue Jun 16, 2015 20:46    Post subject: Reply with quote
cdmarshall wrote:
You seemed to miss parts of my statement "I use it when I need to and dont when Port forwards work" you never get rid of all the risks you have to way the pros and the cons. UPnp has its issues so I only use it when it is needed. Just like I would not connect to the internet without a firewall. You need to be on the net but you should do what you can to limit the risk while still getting done what you need to.


I understand. I'm not arguing that UPnP should be removed, just that it shouldn't be on by default, that's all. Go ahead and turn it on and use it. I don't need to at this time, so for me having it default to off is the right choice. And if it's something that you use when port forwards don't work, for me that also points toward having it off by default, and turning it on if port forwarding isn't working for some reason.

Wasn't the original question whether it should be on by default? That's what I'm reacting to, not whether the individual who needs it should use it or not.

I must be missing a bunch here. Sorry.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum