nanog mailing list archives

Incoming SSDP UDP 1900 filtering

From: "marcel.duregards--- via NANOG" <nanog () nanog org>
Date: Mon, 25 Mar 2019 09:28:18 +0100

Dear Community,

We see more and more SSDP 'scan' in our network (coming from outside
into our AS). Of course our client have open vulnerables boxes (last one
is an enterprise class Synology with all defaults ports open:-)) which
could be used as a reflection SSDP client.

As SSDP is used with PnP for local LAN service discovery, we are
thinking of:

1) educate our client (take a lot of time)
2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp border

We see option 2 as a good action to remove our autonomous systeme from
potential sources of DDOS SSDP source toward the Internet.
Of course this might (very few chance) open others problems with clients
which use this port as an obfuscation port, but anyhow it would not be a
good idea as it is a registered IANA port.
We could think of filtering also incoming port 5000 (UPnP), but it is
the default port that Synology decide to use (WHY???? so many trojan use
this) for the DSM login into the UI.

What do you think ?

Thank, best regards,

--
Marcel

Current thread:

Incoming SSDP UDP 1900 filtering marcel.duregards--- via NANOG (Mar 25)
- Re: Incoming SSDP UDP 1900 filtering Sean Donelan (Mar 25)
  - Re: Incoming SSDP UDP 1900 filtering Sean Donelan (Mar 25)
  - Re: Incoming SSDP UDP 1900 filtering Tom Hill (Mar 25)
    - Re: Incoming SSDP UDP 1900 filtering Tom Beecher (Mar 25)
    - Re: Incoming SSDP UDP 1900 filtering Bryan Holloway (Mar 25)
    - Re: Incoming SSDP UDP 1900 filtering Sean Donelan (Mar 25)
    - Re: Incoming SSDP UDP 1900 filtering Saku Ytti (Mar 25)
    - Re: Incoming SSDP UDP 1900 filtering Tom Beecher (Mar 25)
    - Re: Incoming SSDP UDP 1900 filtering Sean Donelan (Mar 25)
- RE: Incoming SSDP UDP 1900 filtering Phil Lavin (Mar 25)

(Thread continues...)