I'd second that uPNP is the cause.
I don't have a detailed understanding of UPnP, but from what I understand about the way it works, I too would think it's probably the cause.
However....
there would be no open tcp port 20/21 through which
You don't need the port under attack to be open.
If you've got any inbound services open on perimeter devices then you are at risk if vulnerabilities exist in their implementation (or your configuration thereof) and you have failed to keep your patches up to date (assuming patches exist of course).
There are some very innovative attack strategies out there that can make use of what might look to the lay-person as innocent services.... for example ICMP (a.k.a PING / TRACEROUTE etc.)..... the average Joe might not know what can be done these days with such an innocent sounding service allowed through firewalls.....
