nanog mailing list archives
Re: Thank you, Comcast.
From: "Roland Dobbins" <rdobbins () arbor net>
Date: Fri, 26 Feb 2016 23:51:57 +0700
On 26 Feb 2016, at 23:44, Blake Hudson wrote:
Jason, how do you propose to block SSDP without also blocking legitimate traffic as well (since SSDP uses a port > 1024 and is used as part of the ephemeral port range on some devices) ?
I'm not Jason, but blocking specific port-pairs such as UDP/80 ---> UDP/1900 and UDP/443 ---> UDP/1900 solves close to 90% of the problem, as UDP/80 and UDP/443 are the most common destination ports leveraged in this type of attack.
For an explanation of how UDP reflection/amplification attacks work, see this .pdf preso:
<https://app.box.com/s/r7an1moswtc7ce58f8gg> ----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Re: Thank you, Comcast., (continued)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- RE: Thank you, Comcast. Naslund, Steve (Feb 26)
- RE: Thank you, Comcast. Keith Medcalf (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- RE: Thank you, Comcast. Keith Medcalf (Feb 26)
- Re: Thank you, Comcast. Rich Kulawiec (Feb 27)
- Re: Thank you, Comcast. Mike Hammett (Feb 27)
- Re: Thank you, Comcast. Rich Kulawiec (Feb 26)
- Re: Thank you, Comcast. Henry Yen (Feb 26)
- Re: Thank you, Comcast. Blake Hudson (Feb 26)
- Re: Thank you, Comcast. Roland Dobbins (Feb 26)
- Re: Thank you, Comcast. Livingood, Jason (Feb 26)
- Re: Thank you, Comcast. Blake Hudson (Feb 26)
- Re: Thank you, Comcast. Blake Hudson (Feb 26)
- Re: Thank you, Comcast. John Levine (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. James Downs (Feb 26)
- Re: Thank you, Comcast. Maxwell Cole (Feb 26)
- Re: Thank you, Comcast. David Bass (Feb 26)
- RE: Thank you, Comcast. Naslund, Steve (Feb 26)
- Re: Thank you, Comcast. Brielle Bruns (Feb 26)