Thank you, Comcast.

• Previous message (by thread): Thank you, Comcast.
• Next message (by thread): Thank you, Comcast.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 26 Feb 2016, at 23:44, Blake Hudson wrote:

> Jason, how do you propose to block SSDP without also blocking 
> legitimate traffic as well (since SSDP uses a port > 1024 and is used 
> as part of the ephemeral port range on some devices) ?

I'm not Jason, but blocking specific port-pairs such as UDP/80 ---> 
UDP/1900 and UDP/443 ---> UDP/1900 solves close to 90% of the problem, 
as UDP/80 and UDP/443 are the most common destination ports leveraged in 
this type of attack.

For an explanation of how UDP reflection/amplification attacks work, see 
this .pdf preso:

<https://app.box.com/s/r7an1moswtc7ce58f8gg>

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>

• Previous message (by thread): Thank you, Comcast.
• Next message (by thread): Thank you, Comcast.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]