Re: Incoming SSDP UDP 1900 filtering

[William Herrin <bill () herrin us>]

On Thu, Apr 11, 2019 at 7:15 AM Patrick McEvilly <
patrick_mcevilly () harvard edu> wrote:
> I'm working with Level3 on a similar problem.  They filter both UDP and
TCP port 1900 on our peer to them.  This is blocking all connections that
randomly use ephemeral tcp port 1900.
> They are refusing to remove the tcp port 1900 filter without dispensation
from the DDoS security gods. I understand blocking UDP 1900, what is the
purpose of Level3 filtering tcp port 1900?

Hi Patrick,

I ran in to this years ago with the NIPR to Internet gateway at Pearl. They
were filtering about 100 TCP ports in the 1024 to 5000 range because they
were commonly used for malware C&C. They insisted they were only blocking
destination ports... Didn't quite get the concept that the source port on a
packet traveling one way becomes the destination port on the return packet,
or that 1024 to 5000 were common ephemeral source ports for both Windows
and a number of firewall products. The idea of filtering only on
syn-not-ack packets also failed to make contact in their craniums.

Good luck with Level3. The folks at Pearl still hadn't figured it out years
later when I changed jobs.

Regards,
Bill Herrin

 --
William Herrin ................ herrin () dirtside com  bill () herrin us
Dirtside Systems ......... Web: <http://www.dirtside.com/>