Analysis of scans.io - Rapid7 UDP Scans - UPnP

I pulled from the scans.io "Internet-Wide Scan Data Repository" the dataset provided by Rapid7 about UPnP.  This download was 1GB in size then when it was uncompressed to being 14GB.  My intent of analyzing this information is to identify the number of IP Addresses that respond to the UPnP scan then identify which internet service providers have the largest concentration of the vulnerabilities.

Below is the first command that I used to parse out the IP Address of the responding device:

cat 20150420-upnp-1900.csv | awk -F "," '{print $2}' > ipAddr.raw

Then I found that some hosts responded multiple times on the UPnP request.  So I sorted the IP Addresses and then wrote back to a file only the unique addresses with the following command:

cat ipAddr.raw | sort | uniq > sorted_ipAddr.raw

With that file I was able to derive the following number that shows how many IP Addresses responded to the UPnP scan:

2,991,548

Wow! Then I took the list of IP Addresses and took off the last octet sorted then and then counted the occurrences as if a 255.255.255.0 subnet mask was used to determine the network address.  This provided the following list.  With the list I am listing the count of addresses, the first 3 octets of the IP Address, the country where the addresses are, and the name of the ISP.  I have removed from the list if the ISP displays multiple subnets, and incremented the number of hosts observed if they were encountered for the same ISPs.

786* - 83.164.x.x - Austria - lagis Internet Serviceprovider
254* - 183.252.52.x - China - China Mobile Communications Corporation
3,143* - 91.126..x - Spain - Adamo Telecom Iberia S.A.
911* - 173.241.64-79.x - Mississippi, US - neXband Communications. Inc. 
1,289* - 109.111.248-255.x - Serbia - Orion Telekom , CDMA Users
11,371* - 5.246-247.x.x - Saudi Arabia -  Broadband IP Range
203* - 201.254.88.x - Argentina - Telefonica de Argentina
203 - 190.177.83.x - Argentina - Telefonica de Argentina
202 - 190.177.67.x - Argentina - Telefonica de Argentina
195 - 89.29.238.x - Spain - TV ALMANSA, Servicios de Comunicacion

Observing the number of devices that respond to the UPnP probe on a given service providers network is interesting.  Especially for the Saudi Arabia IP range.  This IP Address Range is from 5.246.0.1 - 5.247.255.255.

I wanted to take a closer look to see if each of these devices appeared to be the same.  To do this I went back to the FTP dataset that I pulled down and searched for the network address of "5.246.*".  Looking at the below screenshot identifies that each device has an FTP server running bftpd 2.2.

Also I was curious when bftpd 2.2 was released.  I found on their website that the latest version is version 4.4.  The 2.2 release was made on March 21, 2008.  Also observing that this FTP software is hosted on Sourceforge as an open source project.

I could not find a release of version 2.2 on SourceForge.  I also found an exploit that could cause a denial of service on the router.

In my opinion the ISP should fix the vulnerability of UPnP being open, at least when the device is issued by them.

HD Moore said, “If  the attacker is able to compromise the device using the UPnP discovery or SOAP services, they would be able to steal data, sniff traffic, and target other systems on the network. In the case of home routers, they would be able to force users accessing the internet to visit a page laden with malware instead of their real destination.”

Read more at http://www.techweekeurope.co.uk/workspace/how-attackers-will-exploit-upnp-105868#pP8k589IKCUVERb8.99