said by Juggernaut:
This is why this thread is discussing turning off UPnP. Both on a machine (LAN), and in the router (WAN). Those are the main vectors of vulnerability, right?
There's several layers of problems here. 1) uPnP has no intended function to EVER be on a router's WAN. Never! Makes no sense. Yet by something right out of a horror flick - it is! And by the millions. 2) These uPnP routers are also full of vulnerable code, much of which has been known for some time but never patched.
I'm not worried about my personal case. My compiled OpenWrt has no sign of any uPnP module, never has, and never will. BETTER than turning it off is not having it in the first place.
EDIT: Sorry, I think at least one of us (me) got confused in terminology.
The router's LAN responds to uPnP client requests and includes all sorts of functions. uPnP Clients such as XBox, TVs, Windows machines, etc. control the router this way. This LAN part of the router was never intended to be on the WAN of that same router... yet has been found there by the millions.