Thank you, Comcast.

Blake Hudson blake at ispn.net
Fri Feb 26 20:01:05 UTC 2016


Livingood, Jason wrote on 2/26/2016 1:32 PM:
> On 2/26/16, 11:44 AM, "Blake Hudson" <blake at ispn.net 
> <mailto:blake at ispn.net>> wrote:
>
>     Jason, how do you propose to block SSDP without also blocking
>     legitimate traffic as well (since SSDP uses a port > 1024 and is
>     used as part of the ephemeral port range on some devices) ?
>
>
> As Roland suggested, very likely via UDP/1900. This will obviously be 
> disclosed in advance to customers and tested thoroughly. I believe a 
> few other ISPs have already taken this step.
>
>     And is this practice /Open Internet/ friendly?
>
>
> Port blocking is considered a form of reasonable network management 
> provided it can be justified by security or operational stability 
> reasons. Of course it must also be transparently disclosed and so on.
>
> Jason
The difference in blocking any of the existing ports on your list and 
blocking UDP/1900 is that the ports on your list are all registered 
ports. Port 1900 is not registered - a host may use port 1900 when 
making an outbound connection to another host (lookup ephemeral port 
range for more info) regardless of whether either host is using or 
running an SSDP server. A block on port 1900 will result in blocking 
legitimate customer traffic if the customer's device happened to select 
port 1900 as parts of its ephemeral port range.

To my knowledge, a current Windows, Linux, Apple device will not use 
port 1900 as part of its ephemeral port range, but Wikipedia suggests XP 
and older Windows operating systems will and I know that many NAT 
routers will (which affects all clients behind that NAT router, 
regardless of their OS). I have no idea what popular mobile clients use 
for their ephemeral port ranges. I imagine the NAT routers will be most 
common actors using ports outside of the IANA suggested ephemeral port 
range. Do you suggest that it is "reasonable network management" that 
users behind a NAT router have their 876th (1900 - 1024) UDP connection 
attempt blocked?

--Blake


More information about the NANOG mailing list