Nintendo’s weird Online requirements for Splatoon 3 have infosec folks scratching their heads

13 Responses

  1. Xtremegamer says:

    Please DO NOT enable upnp…
    Any app can request portforward, even evil ones… so just use a (charles web )proxy to check what ports a game needs. Disable upnp, or better yet pester those devs to make a decent game…

  2. GuardingNobody says:

    UPNP a “recommended option” for “modern routers” lmao

    No, the recommended option is to figure out how to forward ports for your router correctly. In practice you can DMZ your consoles as nobody seems to think attacking them is worth it, but who knows how long that will hold true.

    UPNP is the second worst thing you can do for security, behind forwarding all UDP ports to one IP. You can google UPNP and maybe put some effort into your article next time.

  3. Roobre says:

    This is not a requirement. It’s a troubleshooting workaround for crappy routers that do not support UDP Hole Punching.
    A DMZ wouldn’t make this better (probably worse, in fact), and there is no other workaround possible if you router cannot punch holes.

  4. mikus says:

    As someone that does network and security consulting, you should NEVER even enable UPNP as this lets applications open random ports into your home network and you then never know what garbage is opening your front door to your house, real applications, chinese spyware, or somewhere in between. UPNP has also been highly exploitable over time if you search upnp security, it’s simply never good.

    The fact that nintendo puts this as a “solution” shows they have no one with any frigging clue regarding network or security. They should be sued for liability in telling people to do this. As you said it’s like telling people to never lock the doors to their house.

  5. Jake says:

    UNLESS the switch hosts internet accessible multiplayer games locally, “port forwarding”, UPNP, and “opening”
    incoming ports has nothing to do with online multiplayer games.

    As long as devices can talk out to the internet TO a specific port and IP (IE there is no outbound restrictions on the firewall), and establish a connection, the router/firewall will “remember” that connection was established and the client (splatoon, or a web browser on a laptop) and the server (multiplayer server or web server) will negotiate a new ports to talk on. Since the connection is established, the routing will work without UPNP or port forwarding being involved.

    Just like when you are browsing the web, you don’t need to forward port 80 to your web browser – the web browser connects OUT to the web servers port 80, and connection is established, a new port is negotiated (to free up port 80 for other incoming requests from other peoples web browsers) and the client asks for the data and the server sends it back, then the connection is closed. With Splatoon, the “client asks for the data and the server sends it back” conversation should last an entire game rather than the 5 – 30 seconds it takes to download a web pages data.

    UPNP, in the context of NAT traversal, merely allows a device or software to ask the firewall to forward any future as-yet-unknown incoming communications on a specific port to itself, and would only be needed if the switch itself was to host the multiplayer game.

    • Nemes says:

      “UNLESS the switch hosts internet accessible multiplayer games locally”

      The Switch hosts Internet accessible multiplayer games locally. Nintendo is all about P2P networking game hosting, even for games like [url=https://oatmealdome.me/blog/splatoon-2s-netcode-an-in-depth-look/]Splatoon 2[/url]. Which means they’re especially affected by inbound connectivity issues.

      Unfortunately, UPnP is an unmitigated disaster, and Nintendo would be rightfully burnt at the stake for suggesting users enable that. So forwarding all UDP ports is their next best option; the Switch doesn’t a bunch of network-acessible services listening on ports, so other than consuming all of your UDP ports, it’s not a significant risk (so long as it remains pointed at the Switch).

      Though emphasis on the “next best” description rather than “good”. It’s still a poor solution from a usability standpoint. Nintendo should be relying on STUN and other UDP hole punching techniques. There are virtually no scenarios where manually forwarding UDP ports in a router will work, but STUN will fail.

  6. Nick Crowe says:

    Smart people do what Nintendont.

  7. Jake says:

    pffft UPNP is fine for home networking, whats the worst that can happen?

  8. D says:

    What a *** world, where you need secure yourself from others..

  9. mikus says:

    >> whats the worst that can happen?

    Some *** gadget randomly port forwards every port on your firewall through to some generally insecurish host, because if a product is stupid enough to use UPNP, it’s stupid enough to do something like Nintendo is proposing too.

    Do you trust some *** chinese *** gadget to properly admin your firewall? I certainly don’t.

  10. Li says:

    Opening all ports on your switch is only a concern if you have some critical service running on your switch — (eg like open FTP, SSH, without any authentication or something like that)

    … which, you do not.