Incoming SSDP UDP 1900 filtering

• Previous message (by thread): Incoming SSDP UDP 1900 filtering
• Next message (by thread): Incoming SSDP UDP 1900 filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Blocked ssdp and move on

Ssdp is a horrible ddos vector

Comcast and many others already block it, because is the smart and best
thing to do

https://www.xfinity.com/support/articles/list-of-blocked-ports


On Mon, Mar 25, 2019 at 1:30 AM marcel.duregards--- via NANOG <
nanog at nanog.org> wrote:

> Dear Community,
>
> We see more and more SSDP 'scan' in our network (coming from outside
> into our AS). Of course our client have open vulnerables boxes (last one
> is an enterprise class Synology with all defaults ports open:-)) which
> could be used as a reflection SSDP client.
>
> As SSDP is used with PnP for local LAN service discovery, we are
> thinking of:
>
> 1) educate our client (take a lot of time)
> 2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp border
>
> We see option 2 as a good action to remove our autonomous systeme from
> potential sources of DDOS SSDP source toward the Internet.
> Of course this might (very few chance) open others problems with clients
> which use this port as an obfuscation port, but anyhow it would not be a
> good idea as it is a registered IANA port.
> We could think of filtering also incoming port 5000 (UPnP), but it is
> the default port that Synology decide to use (WHY???? so many trojan use
> this) for the DSM login into the UI.
>
> What do you think ?
>
> Thank, best regards,
>
> --
> Marcel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190325/4ca8c3df/attachment.html>

• Previous message (by thread): Incoming SSDP UDP 1900 filtering
• Next message (by thread): Incoming SSDP UDP 1900 filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]