We have blocked 1900 UDP for many years and never have “seen” any side affects from that
From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mark Radabaugh via Af Sent: Tuesday, December 23, 2014 11:44 AM To: af@afmug.com Subject: Re: [AFMUG] North Korea is down.... UDP 1900 is ephemeral port, and a low number. Many network stacks pick ports sequentially above 1025 which means some portion of legitimate traffic is going to be dropped if you block just based on UDP 1900. It will cause intermittent and unpredictable failures for applications and it will likely be very difficult to troubleshoot since the issue will be short lived in most cases. You probably want to consider a more specific filter looking deeper in the packet. Mark On Dec 23, 2014, at 10:06 AM, Ty Featherling via Af <af@afmug.com<mailto:af@afmug.com>> wrote: After seeing suspicious traffic I have dropped UDP port 1900 globally with no ill-effects. I have dropepd over 300 GB of that traffic this month. -Ty On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af <af@afmug.com<mailto:af@afmug.com>> wrote: I read somewhere, I think maybe Ars, that the DDoS attack has been going on for several days and is using primarily NTP and SSDP (UPnP discovery protocol) amplification. And that SSDP has succeeded NTP and DNS as the amplification method for big (> 1Gbps) DDoS attacks. Apparently because the industry jumped on securing open NTP servers. And even though SSDP provides less amplification than NTP, there are more targets and they are mostly home routers which consumers are not going to patch even if there is patched firmware available. Plus UDP makes it easier to spoof the source IP. So I must have missed that UDP port 1900 is the new target for amplification. I did a quick torch and saw a bunch of traffic on udp/1900, some inbound only which I assume are scans, some bidirectional which I’m thinking is suspicious but maybe some port 1900 traffic is normal because it is in the >1024 ephemeral port range. I went and signed up for ShadowServer, figuring they will tell me what IPs were responding to SSDP requests on what date and I can track down the customer. Anyone have a better approach? If you identify customers with UPnP open to the outside, are you contacting them and pushing them to fix it? It’s just amazing to me that some routers would have UPnP open on the WAN side. What’s wrong with these companies? I saw DLink mentioned, and sure enough, when I torched for udp/1900, I saw a lot of connections for a customer that I seem to remember has a DLink DIR-655. From: Jaime Solorza via Af<mailto:af@afmug.com> Sent: Monday, December 22, 2014 7:58 PM To: Animal Farm<mailto:af@afmug.com> Subject: Re: [AFMUG] North Korea is down.... linksys modems for backhauls Jaime Solorza Wireless Systems Architect 915-861-1390<tel:915-861-1390> On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications Inc via Af <af@afmug.com<mailto:af@afmug.com>> wrote: No! No! They have Comcast Cable and Century Link DSL. Normal stuff. Tyson Burris, President Internet Communications Inc. 739 Commerce Dr. Franklin, IN 46131 317-738-0320<tel:317-738-0320> Daytime # 317-412-1540<tel:317-412-1540> Cell/Direct # Online: www.surfici.net<http://www.surfici.net/> <image001.png> What can ICI do for you? Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure. CONFIDENTIALITY NOTICE: This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by unauthorized organizations or individuals is strictly prohibited. From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Travis Johnson via Af Sent: Monday, December 22, 2014 4:24 PM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] North Korea is down.... The FBI setup a P2P server in North Korea with the Sony movie as the only download. LOL Travis On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: What did we do? Lol. How did we do it ? Sent from my Verizon Wireless 4G LTE Smartphone
