[187807] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Fri Feb 26 11:53:27 2016
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: NANOG <nanog@nanog.org>
Date: Fri, 26 Feb 2016 23:51:57 +0700
In-Reply-To: <56D080EA.1000500@ispn.net>
Errors-To: nanog-bounces@nanog.org
On 26 Feb 2016, at 23:44, Blake Hudson wrote:
> Jason, how do you propose to block SSDP without also blocking
> legitimate traffic as well (since SSDP uses a port > 1024 and is used
> as part of the ephemeral port range on some devices) ?
I'm not Jason, but blocking specific port-pairs such as UDP/80 --->
UDP/1900 and UDP/443 ---> UDP/1900 solves close to 90% of the problem,
as UDP/80 and UDP/443 are the most common destination ports leveraged in
this type of attack.
For an explanation of how UDP reflection/amplification attacks work, see
this .pdf preso:
<https://app.box.com/s/r7an1moswtc7ce58f8gg>
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
