UDP 1900 is ephemeral port, and a low number. Many network stacks pick ports sequentially above 1025 which means some portion of legitimate traffic is going to be dropped if you block just based on UDP 1900. It will cause intermittent and unpredictable failures for applications and it will likely be very difficult to troubleshoot since the issue will be short lived in most cases.
You probably want to consider a more specific filter looking deeper in the packet. Mark > On Dec 23, 2014, at 10:06 AM, Ty Featherling via Af <af@afmug.com> wrote: > > After seeing suspicious traffic I have dropped UDP port 1900 globally with no > ill-effects. I have dropepd over 300 GB of that traffic this month. > > -Ty > > On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af <af@afmug.com > <mailto:af@afmug.com>> wrote: > I read somewhere, I think maybe Ars, that the DDoS attack has been going on > for several days and is using primarily NTP and SSDP (UPnP discovery > protocol) amplification. And that SSDP has succeeded NTP and DNS as the > amplification method for big (> 1Gbps) DDoS attacks. Apparently because the > industry jumped on securing open NTP servers. And even though SSDP provides > less amplification than NTP, there are more targets and they are mostly home > routers which consumers are not going to patch even if there is patched > firmware available. Plus UDP makes it easier to spoof the source IP. > > So I must have missed that UDP port 1900 is the new target for amplification. > > I did a quick torch and saw a bunch of traffic on udp/1900, some inbound only > which I assume are scans, some bidirectional which I’m thinking is suspicious > but maybe some port 1900 traffic is normal because it is in the >1024 > ephemeral port range. > > I went and signed up for ShadowServer, figuring they will tell me what IPs > were responding to SSDP requests on what date and I can track down the > customer. Anyone have a better approach? If you identify customers with > UPnP open to the outside, are you contacting them and pushing them to fix it? > > It’s just amazing to me that some routers would have UPnP open on the WAN > side. What’s wrong with these companies? I saw DLink mentioned, and sure > enough, when I torched for udp/1900, I saw a lot of connections for a > customer that I seem to remember has a DLink DIR-655. > > > From: Jaime Solorza via Af <mailto:af@afmug.com> > Sent: Monday, December 22, 2014 7:58 PM > To: Animal Farm <mailto:af@afmug.com> > Subject: Re: [AFMUG] North Korea is down.... > > linksys modems for backhauls > > Jaime Solorza > Wireless Systems Architect > 915-861-1390 <tel:915-861-1390> > > On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications Inc > via Af <af@afmug.com <mailto:af@afmug.com>> wrote: > No! No! They have Comcast Cable and Century Link DSL. Normal stuff. > > > > Tyson Burris, President > Internet Communications Inc. > 739 Commerce Dr. > Franklin, IN 46131 > > 317-738-0320 <tel:317-738-0320> Daytime # > 317-412-1540 <tel:317-412-1540> Cell/Direct # > Online: www.surfici.net <http://www.surfici.net/> > > > <image001.png> > > What can ICI do for you? > > > Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP > Security - Fiber - Tower - Infrastructure. > > CONFIDENTIALITY NOTICE: This e-mail is intended for the > addressee shown. It contains information that is > confidential and protected from disclosure. Any review, > dissemination or use of this transmission or its contents by > unauthorized organizations or individuals is strictly > prohibited. > > > > From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On > Behalf Of Travis Johnson via Af > Sent: Monday, December 22, 2014 4:24 PM > To: af@afmug.com <mailto:af@afmug.com> > Subject: Re: [AFMUG] North Korea is down.... > > > > The FBI setup a P2P server in North Korea with the Sony movie as the only > download. LOL > > Travis > > On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: > > > What did we do? Lol. How did we do it ? > > Sent from my Verizon Wireless 4G LTE Smartphone > > > >
