Incoming SSDP UDP 1900 filtering

• Previous message (by thread): Incoming SSDP UDP 1900 filtering
• Next message (by thread): Incoming SSDP UDP 1900 filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Mar 25, 2019 at 5:33 AM Jason Hellenthal <jhellenthal at dataix.net>
wrote:

> Actually a little surprised to see port 25 blocked in both directions here
> along with 1080. It’s like saying here’s your network buuuuut it’s limited.
>
> Though I wouldn’t recommend spawning up 25 it’s still a legitimately used
> port today as alike with 1080.
>

Different topic. But most broadband providers have a similar list and it
nearly always has port 25 blocked and you know why



>
> --
>  J. Hellenthal
>
> The fact that there's a highway to Hell but only a stairway to Heaven says
> a lot about anticipated traffic volume.
>
> On Mar 25, 2019, at 07:13, Ca By <cb.list6 at gmail.com> wrote:
>
> Blocked ssdp and move on
>
> Ssdp is a horrible ddos vector
>
> Comcast and many others already block it, because is the smart and best
> thing to do
>
> https://www.xfinity.com/support/articles/list-of-blocked-ports
>
>
> On Mon, Mar 25, 2019 at 1:30 AM marcel.duregards--- via NANOG <
> nanog at nanog.org> wrote:
>
>> Dear Community,
>>
>> We see more and more SSDP 'scan' in our network (coming from outside
>> into our AS). Of course our client have open vulnerables boxes (last one
>> is an enterprise class Synology with all defaults ports open:-)) which
>> could be used as a reflection SSDP client.
>>
>> As SSDP is used with PnP for local LAN service discovery, we are
>> thinking of:
>>
>> 1) educate our client (take a lot of time)
>> 2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp border
>>
>> We see option 2 as a good action to remove our autonomous systeme from
>> potential sources of DDOS SSDP source toward the Internet.
>> Of course this might (very few chance) open others problems with clients
>> which use this port as an obfuscation port, but anyhow it would not be a
>> good idea as it is a registered IANA port.
>> We could think of filtering also incoming port 5000 (UPnP), but it is
>> the default port that Synology decide to use (WHY???? so many trojan use
>> this) for the DSM login into the UI.
>>
>> What do you think ?
>>
>> Thank, best regards,
>>
>> --
>> Marcel
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190325/9b72aa0e/attachment.html>

• Previous message (by thread): Incoming SSDP UDP 1900 filtering
• Next message (by thread): Incoming SSDP UDP 1900 filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]