Re: Incoming SSDP UDP 1900 filtering

[Jason Hellenthal via NANOG <nanog () nanog org>]

Actually a little surprised to see port 25 blocked in both directions here along with 1080. It’s like saying here’s 
your network buuuuut it’s limited.

Though I wouldn’t recommend spawning up 25 it’s still a legitimately used port today as alike with 1080.

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.

> On Mar 25, 2019, at 07:13, Ca By <cb.list6 () gmail com> wrote:
>
> Blocked ssdp and move on 
>
> Ssdp is a horrible ddos vector
>
> Comcast and many others already block it, because is the smart and best thing to do
>
> https://www.xfinity.com/support/articles/list-of-blocked-ports
>
>
> > On Mon, Mar 25, 2019 at 1:30 AM marcel.duregards--- via NANOG <nanog () nanog org> wrote:
> > Dear Community,
> >
> > We see more and more SSDP 'scan' in our network (coming from outside
> > into our AS). Of course our client have open vulnerables boxes (last one
> > is an enterprise class Synology with all defaults ports open:-)) which
> > could be used as a reflection SSDP client.
> >
> > As SSDP is used with PnP for local LAN service discovery, we are
> > thinking of:
> >
> > 1) educate our client (take a lot of time)
> > 2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp border
> >
> > We see option 2 as a good action to remove our autonomous systeme from
> > potential sources of DDOS SSDP source toward the Internet.
> > Of course this might (very few chance) open others problems with clients
> > which use this port as an obfuscation port, but anyhow it would not be a
> > good idea as it is a registered IANA port.
> > We could think of filtering also incoming port 5000 (UPnP), but it is
> > the default port that Synology decide to use (WHY???? so many trojan use
> > this) for the DSM login into the UI.
> >
> > What do you think ?
> >
> > Thank, best regards,
> >
> > --
> > Marcel