I guess it could be treated like 137/138/139/445 which do not belong on the
public Internet, I would feel better about blocking if it was a low numbered
port.
Are you blocking it inbound to your network, or also outbound?
From: Ty Featherling via Af
Sent: Tuesday, December 23, 2014 9:06 AM
To: af@afmug.com
Subject: Re: [AFMUG] North Korea is down....
After seeing suspicious traffic I have dropped UDP port 1900 globally with no
ill-effects. I have dropepd over 300 GB of that traffic this month.
-Ty
On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af <af@afmug.com> wrote:
I read somewhere, I think maybe Ars, that the DDoS attack has been going on
for several days and is using primarily NTP and SSDP (UPnP discovery protocol)
amplification. And that SSDP has succeeded NTP and DNS as the amplification
method for big (> 1Gbps) DDoS attacks. Apparently because the industry jumped
on securing open NTP servers. And even though SSDP provides less amplification
than NTP, there are more targets and they are mostly home routers which
consumers are not going to patch even if there is patched firmware available.
Plus UDP makes it easier to spoof the source IP.
So I must have missed that UDP port 1900 is the new target for amplification.
I did a quick torch and saw a bunch of traffic on udp/1900, some inbound only
which I assume are scans, some bidirectional which I’m thinking is suspicious
but maybe some port 1900 traffic is normal because it is in the >1024 ephemeral
port range.
I went and signed up for ShadowServer, figuring they will tell me what IPs
were responding to SSDP requests on what date and I can track down the
customer. Anyone have a better approach? If you identify customers with UPnP
open to the outside, are you contacting them and pushing them to fix it?
It’s just amazing to me that some routers would have UPnP open on the WAN
side. What’s wrong with these companies? I saw DLink mentioned, and sure
enough, when I torched for udp/1900, I saw a lot of connections for a customer
that I seem to remember has a DLink DIR-655.
From: Jaime Solorza via Af
Sent: Monday, December 22, 2014 7:58 PM
To: Animal Farm
Subject: Re: [AFMUG] North Korea is down....
linksys modems for backhauls
Jaime Solorza
Wireless Systems Architect
915-861-1390
On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications Inc
via Af <af@afmug.com> wrote:
No! No! They have Comcast Cable and Century Link DSL. Normal stuff.
Tyson Burris, President
Internet Communications Inc.
739 Commerce Dr.
Franklin, IN 46131
317-738-0320 Daytime #
317-412-1540 Cell/Direct #
Online: www.surfici.net
What can ICI do for you?
Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP
Security - Fiber - Tower - Infrastructure.
CONFIDENTIALITY NOTICE: This e-mail is intended for the
addressee shown. It contains information that is
confidential and protected from disclosure. Any review,
dissemination or use of this transmission or its contents by
unauthorized organizations or individuals is strictly
prohibited.
From: Af [mailto:af-boun...@afmug.com] On Behalf Of Travis Johnson via Af
Sent: Monday, December 22, 2014 4:24 PM
To: af@afmug.com
Subject: Re: [AFMUG] North Korea is down....
The FBI setup a P2P server in North Korea with the Sony movie as the only
download. LOL
Travis
On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote:
What did we do? Lol. How did we do it ?
Sent from my Verizon Wireless 4G LTE Smartphone
