Incoming SSDP UDP 1900 filtering
Jason Hellenthal
jhellenthal at dataix.net
Mon Mar 25 12:33:30 UTC 2019
Actually a little surprised to see port 25 blocked in both directions here along with 1080. It’s like saying here’s your network buuuuut it’s limited.
Though I wouldn’t recommend spawning up 25 it’s still a legitimately used port today as alike with 1080.
--
J. Hellenthal
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
> On Mar 25, 2019, at 07:13, Ca By <cb.list6 at gmail.com> wrote:
>
> Blocked ssdp and move on
>
> Ssdp is a horrible ddos vector
>
> Comcast and many others already block it, because is the smart and best thing to do
>
> https://www.xfinity.com/support/articles/list-of-blocked-ports
>
>
>> On Mon, Mar 25, 2019 at 1:30 AM marcel.duregards--- via NANOG <nanog at nanog.org> wrote:
>> Dear Community,
>>
>> We see more and more SSDP 'scan' in our network (coming from outside
>> into our AS). Of course our client have open vulnerables boxes (last one
>> is an enterprise class Synology with all defaults ports open:-)) which
>> could be used as a reflection SSDP client.
>>
>> As SSDP is used with PnP for local LAN service discovery, we are
>> thinking of:
>>
>> 1) educate our client (take a lot of time)
>> 2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp border
>>
>> We see option 2 as a good action to remove our autonomous systeme from
>> potential sources of DDOS SSDP source toward the Internet.
>> Of course this might (very few chance) open others problems with clients
>> which use this port as an obfuscation port, but anyhow it would not be a
>> good idea as it is a registered IANA port.
>> We could think of filtering also incoming port 5000 (UPnP), but it is
>> the default port that Synology decide to use (WHY???? so many trojan use
>> this) for the DSM login into the UI.
>>
>> What do you think ?
>>
>> Thank, best regards,
>>
>> --
>> Marcel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190325/6f2ecf01/attachment.html>
More information about the NANOG
mailing list