After seeing suspicious traffic I have dropped UDP port 1900 globally with no ill-effects. I have dropepd over 300 GB of that traffic this month.
-Ty On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af <af@afmug.com> wrote: > > I read somewhere, I think maybe Ars, that the DDoS attack has been > going on for several days and is using primarily NTP and SSDP (UPnP > discovery protocol) amplification. And that SSDP has succeeded NTP and DNS > as the amplification method for big (> 1Gbps) DDoS attacks. Apparently > because the industry jumped on securing open NTP servers. And even though > SSDP provides less amplification than NTP, there are more targets and they > are mostly home routers which consumers are not going to patch even if > there is patched firmware available. Plus UDP makes it easier to spoof the > source IP. > > So I must have missed that UDP port 1900 is the new target for > amplification. > > I did a quick torch and saw a bunch of traffic on udp/1900, some inbound > only which I assume are scans, some bidirectional which I’m thinking is > suspicious but maybe some port 1900 traffic is normal because it is in the > >1024 ephemeral port range. > > I went and signed up for ShadowServer, figuring they will tell me what IPs > were responding to SSDP requests on what date and I can track down the > customer. Anyone have a better approach? If you identify customers with > UPnP open to the outside, are you contacting them and pushing them to fix > it? > > It’s just amazing to me that some routers would have UPnP open on the WAN > side. What’s wrong with these companies? I saw DLink mentioned, and sure > enough, when I torched for udp/1900, I saw a lot of connections for a > customer that I seem to remember has a DLink DIR-655. > > > *From:* Jaime Solorza via Af <af@afmug.com> > *Sent:* Monday, December 22, 2014 7:58 PM > *To:* Animal Farm <af@afmug.com> > *Subject:* Re: [AFMUG] North Korea is down.... > > linksys modems for backhauls > > Jaime Solorza > Wireless Systems Architect > 915-861-1390 > > On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications > Inc via Af <af@afmug.com> wrote: > >> No! No! They have Comcast Cable and Century Link DSL. Normal stuff. >> >> >> >> *Tyson Burris, President* >> *Internet Communications Inc.* >> *739 Commerce Dr.* >> *Franklin, IN 46131* >> >> *317-738-0320 <317-738-0320> Daytime #* >> *317-412-1540 <317-412-1540> Cell/Direct #* >> *Online: **www.surfici.net* <http://www.surfici.net> >> >> >> >> [image: ICI] >> >> *What can ICI do for you?* >> >> >> *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - >> IP Security - Fiber - Tower - Infrastructure.* >> >> *CONFIDENTIALITY NOTICE: This e-mail is intended for the* >> *addressee shown. It contains information that is* >> *confidential and protected from disclosure. Any review,* >> *dissemination or use of this transmission or its contents by* >> *unauthorized organizations or individuals is strictly* >> *prohibited.* >> >> >> >> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Travis Johnson >> via Af >> *Sent:* Monday, December 22, 2014 4:24 PM >> *To:* af@afmug.com >> *Subject:* Re: [AFMUG] North Korea is down.... >> >> >> >> The FBI setup a P2P server in North Korea with the Sony movie as the only >> download. LOL >> >> Travis >> >> On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: >> >> >> What did we do? Lol. How did we do it ? >> >> Sent from my Verizon Wireless 4G LTE Smartphone >> >> >> > >