!IMPORTANT: Disabling UPnP on the router will disrupt Gaming and Voice Chat that rely on Peer-to-Peer hosting or VoIP programs unless firewall rules are created manually. These instructions do not address the Synology Media Server, which may require different settings.
Resolving a UPnP issue requires disabling UPnP on the router. These changes may be inconvenient because disabling UPnP may require creating firewall rules to permit communication between existing devices, if they do not already exist. Additionally, when adding new devices to the network, rules must be created manually to grant access. However, this inconvenience is well worth the security benefits.
Window11 upgrades have tightened security making mapping NAS drives difficult, but there have been few UPnP security changes. When UPnP is enabled adding new network devices is easy but unfortunately comes with some serious security risks.
- Bypassed Firewalls: UPnP acts like a valet for your router, allowing any connected device to poke holes in your defenses so incoming internet traffic can reach it.
- Malware and Botnet Infections: Attackers frequently scan the internet for open UPnP ports to hijack smart home devices (like webcams and printers), effectively turning them into massive botnets to launch DDoS attacks.
- No Authentication: The protocol blindly trusts any device requesting changes, meaning a single piece of malicious software running on a PC inside your network can freely expose internal files or systems to the outside world.
- Historical Exploits: The protocol has been central to infamous, large-scale cyber incidents such as the 2016 Mirai Botnet attack and the CallStranger vulnerability.
To disable UnpN on a Synology router:
- Login to the router
- Goto NetWork Center
- Select local Network
- Click on the Primary Network
- Select the Edit tab
- In the pop up window select the Advanced tab
- Uncheck Enable UPnP
- Click the OK Button
- Repeat this procedure for each network
If you DO NOT have a Synology router UPnP can be disabled by logging in the the router with a browser using the internet interface. The UPnP setting is usually located in the advanced setup section. Uncheck the Enable UPnP box, apply or save the change and ensure the router restarts.
OPTIONAL: Protecting Windows Devices
Windows PCs and laptops can be protected by disabling SSDP and UPnP, when connecting to an unprotected network, i.e. hot spots, that have these features enabled. This prevents malicious software and unauthorized devices from automatically opening network ports, effectively closing a major backdoor that hackers use to infiltrate systems and bypass router firewalls
Disabling these features may also boost performance because it prevents malware or poorly written software from initiating calls to open ports. These features can be re-enabled if you find there is no benefit and the device is always on the same network.
To Begin. press the Windows key + the R Key
Enter services.msc
Scroll down to SSDP Discovery
Double click SSDP Discovery
From the pull down menu click Startup Type window and select disabled
Then click Ok
Scroll down to UPnP Device Host
Double click UPnP Device Host
From the pull down menu click Startup Type window and select disabled
Then click Ok
Please ensure devices reboot after making changes.