Universal Plug and Play (UPnP) first pronounced by Microsoft in 1999 should make device-to-device networking easy for consumer electronics, mobile devices, personal computers and networked home appliances. This text comes from Wikipedia and describes the situation best - HOME APPLIANCES!
I won't start a flamewar but just to be clear don't use it if you don't know what your devices does for its security. It could be handy if your playstation or tv says hello I'm here with open standard talk to me your configuration is done by me you don't need to care. But your surveillance camera must not open ports on your DSL modem by default. There are many research teams in the "wild" world scanning just for these devices on public internet and the result is frightening.
One of my friends told me that he bought new cam on Internet from china. He plugged and played with his new cam and installed the software to see his garden. What he have seen is a Chinese family sitting in the dining room having lunch. Fun fact their cam had a loud speaker - this was not fun for them. The issue was activated UPnP on their router and admin/12345 unchanged.
I do not blame the enduser but i see the failure in the standard modem configuration of the provider. An internet service provider has a bunch of intelligent workers which do know best security standards but the focus is not on customer - shame on them!
Get your public IP
Just open a web browser and go to http://checkip.dyndns.org . This is your public IP of your home router!
Connect to an outer host
Not everybody has a vps so you could route your device through tor but "tor-browser" is not enough all traffic needs to go through the tunnel
Do a PortScan
Start the nmap scan and watch the result
nmap -T4 -A -v <public_ip_address>
All to complicated
Just take your public IP and try an online port scanner like http://www.dnstools.ch/port-scanner.html
Why the hack is web server behind my IP? Ah my camera wants to go public!
Starting Nmap 7.80 ( nmap.org ) at 2019-11-06 22:53 CET
Nmap scan report for <public_hostname> (<public_ip_address>)
Host is up (0.034s latency).
Not shown: 97 filtered ports
PORT STATE SERVICE
80/tcp open http
554/tcp open rtsp
8000/tcp open http-alt
Nmap done: 1 IP address (1 host up) scanned in 1.80 seconds
By the way my brother was so happy that this cam ran out of the box and the password was so easy to remember.
There is a situation you want your camera online and your password is safe and 16 char long. Anyway it is still not a good Idea to have UPnP on and the camera available on public. Most black-hat groups do have a huge amount of bots scanning the web for surveillance cameras - because they are often a big security risk. So even if your CAM is safe you will see a huge traffic on your modem - these guys are brute forcing your password and you are angry because your Internet is so slow.
Just configure a openvpn tunnel with dyndns name behind your firewall - every good cellphone which can run your camera software can definitely tunnel your traffic through a tunnel!