Thank you, Comcast.

Roland Dobbins rdobbins at
Fri Feb 26 16:51:57 UTC 2016

On 26 Feb 2016, at 23:44, Blake Hudson wrote:

> Jason, how do you propose to block SSDP without also blocking 
> legitimate traffic as well (since SSDP uses a port > 1024 and is used 
> as part of the ephemeral port range on some devices) ?

I'm not Jason, but blocking specific port-pairs such as UDP/80 ---> 
UDP/1900 and UDP/443 ---> UDP/1900 solves close to 90% of the problem, 
as UDP/80 and UDP/443 are the most common destination ports leveraged in 
this type of attack.

For an explanation of how UDP reflection/amplification attacks work, see 
this .pdf preso:


Roland Dobbins <rdobbins at>

More information about the NANOG mailing list