I guess it could be treated like 137/138/139/445 which do not belong on the public Internet, I would feel better about blocking if it was a low numbered port.
Are you blocking it inbound to your network, or also outbound? From: Ty Featherling via Af Sent: Tuesday, December 23, 2014 9:06 AM To: af@afmug.com Subject: Re: [AFMUG] North Korea is down.... After seeing suspicious traffic I have dropped UDP port 1900 globally with no ill-effects. I have dropepd over 300 GB of that traffic this month. -Ty On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af <af@afmug.com> wrote: I read somewhere, I think maybe Ars, that the DDoS attack has been going on for several days and is using primarily NTP and SSDP (UPnP discovery protocol) amplification. And that SSDP has succeeded NTP and DNS as the amplification method for big (> 1Gbps) DDoS attacks. Apparently because the industry jumped on securing open NTP servers. And even though SSDP provides less amplification than NTP, there are more targets and they are mostly home routers which consumers are not going to patch even if there is patched firmware available. Plus UDP makes it easier to spoof the source IP. So I must have missed that UDP port 1900 is the new target for amplification. I did a quick torch and saw a bunch of traffic on udp/1900, some inbound only which I assume are scans, some bidirectional which I’m thinking is suspicious but maybe some port 1900 traffic is normal because it is in the >1024 ephemeral port range. I went and signed up for ShadowServer, figuring they will tell me what IPs were responding to SSDP requests on what date and I can track down the customer. Anyone have a better approach? If you identify customers with UPnP open to the outside, are you contacting them and pushing them to fix it? It’s just amazing to me that some routers would have UPnP open on the WAN side. What’s wrong with these companies? I saw DLink mentioned, and sure enough, when I torched for udp/1900, I saw a lot of connections for a customer that I seem to remember has a DLink DIR-655. From: Jaime Solorza via Af Sent: Monday, December 22, 2014 7:58 PM To: Animal Farm Subject: Re: [AFMUG] North Korea is down.... linksys modems for backhauls Jaime Solorza Wireless Systems Architect 915-861-1390 On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications Inc via Af <af@afmug.com> wrote: No! No! They have Comcast Cable and Century Link DSL. Normal stuff. Tyson Burris, President Internet Communications Inc. 739 Commerce Dr. Franklin, IN 46131 317-738-0320 Daytime # 317-412-1540 Cell/Direct # Online: www.surfici.net What can ICI do for you? Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure. CONFIDENTIALITY NOTICE: This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by unauthorized organizations or individuals is strictly prohibited. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Travis Johnson via Af Sent: Monday, December 22, 2014 4:24 PM To: af@afmug.com Subject: Re: [AFMUG] North Korea is down.... The FBI setup a P2P server in North Korea with the Sony movie as the only download. LOL Travis On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: What did we do? Lol. How did we do it ? Sent from my Verizon Wireless 4G LTE Smartphone