Nintendo’s weird Online requirements for Splatoon 3 have infosec folks scratching their heads
Twitter user, gamer and US Navy veteran TarZangief has noticed a strange set of requirements to play Splatoon 3 (actually, all Switch games) online: Nintendo’s official page recommends that you forward UDP ports 1 to 65535 in order to play Splatoon 3 online. Knowing that most games require at most 1 or 2 ports open for online gaming, that’s of course ludicrous, funny, but also potentially dangerous.
Please make my Switch a DMZ
Port forwarding is a way to tell your Network and your firewall that a specific entry point on your local machine (in this case the switch) can be accessed from the outside world. It’s sometimes required for some specific applications (including some online games), but technically means some people from the internet can access the machine remotely. It’s a necessary evil for doing stuff online, but the less ports are open, the better.
Opening 65535 ports is neither required, nor good advice in order to play Splatoon 3. “Why unlock all your doors and windows in your home when the delivery guy just needs the garage open to leave a package?”, TarZangief said to website TheGamer.
Beyond the security risk, this could also be super inconvenient, as it means your router would send all external requests to your Switch. This would potentially prevent you from playing games on other devices that also need port forwarding.
In practice, modern routers don’t need port forwarding, and instead use UPNP, a service that lets each device request specific port forwarding to the router. If your router has that option, it is recommended, rather than opening all ports.
Remains the question of which UDP ports Splatoon 3 actually uses. The question’s still in the air. There are connectivity issues with Splatoon 3 (which might have been fixed with the latest update), but forwarding all of your ports to the Switch isn’t going to solve them.
Although the mistake has been pointed out 5 days ago, it is still out there on Nintendo’s official site. Some people note Nintendo have been giving this stupid recommendation for at least 10 years.
Source: TarZangief
Please DO NOT enable upnp…
Any app can request portforward, even evil ones… so just use a (charles web )proxy to check what ports a game needs. Disable upnp, or better yet pester those devs to make a decent game…
UPNP a “recommended option” for “modern routers” lmao
No, the recommended option is to figure out how to forward ports for your router correctly. In practice you can DMZ your consoles as nobody seems to think attacking them is worth it, but who knows how long that will hold true.
UPNP is the second worst thing you can do for security, behind forwarding all UDP ports to one IP. You can google UPNP and maybe put some effort into your article next time.
This is not a requirement. It’s a troubleshooting workaround for crappy routers that do not support UDP Hole Punching.
A DMZ wouldn’t make this better (probably worse, in fact), and there is no other workaround possible if you router cannot punch holes.
As someone that does network and security consulting, you should NEVER even enable UPNP as this lets applications open random ports into your home network and you then never know what garbage is opening your front door to your house, real applications, chinese spyware, or somewhere in between. UPNP has also been highly exploitable over time if you search upnp security, it’s simply never good.
The fact that nintendo puts this as a “solution” shows they have no one with any frigging clue regarding network or security. They should be sued for liability in telling people to do this. As you said it’s like telling people to never lock the doors to their house.
UNLESS the switch hosts internet accessible multiplayer games locally, “port forwarding”, UPNP, and “opening”
incoming ports has nothing to do with online multiplayer games.
As long as devices can talk out to the internet TO a specific port and IP (IE there is no outbound restrictions on the firewall), and establish a connection, the router/firewall will “remember” that connection was established and the client (splatoon, or a web browser on a laptop) and the server (multiplayer server or web server) will negotiate a new ports to talk on. Since the connection is established, the routing will work without UPNP or port forwarding being involved.
Just like when you are browsing the web, you don’t need to forward port 80 to your web browser – the web browser connects OUT to the web servers port 80, and connection is established, a new port is negotiated (to free up port 80 for other incoming requests from other peoples web browsers) and the client asks for the data and the server sends it back, then the connection is closed. With Splatoon, the “client asks for the data and the server sends it back” conversation should last an entire game rather than the 5 – 30 seconds it takes to download a web pages data.
UPNP, in the context of NAT traversal, merely allows a device or software to ask the firewall to forward any future as-yet-unknown incoming communications on a specific port to itself, and would only be needed if the switch itself was to host the multiplayer game.
“UNLESS the switch hosts internet accessible multiplayer games locally”
The Switch hosts Internet accessible multiplayer games locally. Nintendo is all about P2P networking game hosting, even for games like [url=https://oatmealdome.me/blog/splatoon-2s-netcode-an-in-depth-look/]Splatoon 2[/url]. Which means they’re especially affected by inbound connectivity issues.
Unfortunately, UPnP is an unmitigated disaster, and Nintendo would be rightfully burnt at the stake for suggesting users enable that. So forwarding all UDP ports is their next best option; the Switch doesn’t a bunch of network-acessible services listening on ports, so other than consuming all of your UDP ports, it’s not a significant risk (so long as it remains pointed at the Switch).
Though emphasis on the “next best” description rather than “good”. It’s still a poor solution from a usability standpoint. Nintendo should be relying on STUN and other UDP hole punching techniques. There are virtually no scenarios where manually forwarding UDP ports in a router will work, but STUN will fail.
Smart people do what Nintendont.
Nintendo does what smart people fail to do
Like stupid *** like this?
pffft UPNP is fine for home networking, whats the worst that can happen?
What a *** world, where you need secure yourself from others..
>> whats the worst that can happen?
Some *** gadget randomly port forwards every port on your firewall through to some generally insecurish host, because if a product is stupid enough to use UPNP, it’s stupid enough to do something like Nintendo is proposing too.
Do you trust some *** chinese *** gadget to properly admin your firewall? I certainly don’t.
Opening all ports on your switch is only a concern if you have some critical service running on your switch — (eg like open FTP, SSH, without any authentication or something like that)
… which, you do not.