Yes Steve. It is easy. -Ty
On Tue, Dec 23, 2014 at 11:18 AM, That One Guy via Af <af@afmug.com> wrote: > > So when we get our mikrotiks on the edge of our network we will be able to > easily do this magic blocking too? > > On Tue, Dec 23, 2014 at 10:43 AM, Mark Radabaugh via Af <af@afmug.com> > wrote: >> >> UDP 1900 is ephemeral port, and a low number. >> >> Many network stacks pick ports sequentially above 1025 which means some >> portion of legitimate traffic is going to be dropped if you block just >> based on UDP 1900. It will cause intermittent and unpredictable failures >> for applications and it will likely be very difficult to troubleshoot since >> the issue will be short lived in most cases. >> >> You probably want to consider a more specific filter looking deeper in >> the packet. >> >> Mark >> >> >> >> >> >> On Dec 23, 2014, at 10:06 AM, Ty Featherling via Af <af@afmug.com> wrote: >> >> After seeing suspicious traffic I have dropped UDP port 1900 globally >> with no ill-effects. I have dropepd over 300 GB of that traffic this month. >> >> -Ty >> >> On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af <af@afmug.com> wrote: >>> >>> I read somewhere, I think maybe Ars, that the DDoS attack has been >>> going on for several days and is using primarily NTP and SSDP (UPnP >>> discovery protocol) amplification. And that SSDP has succeeded NTP and DNS >>> as the amplification method for big (> 1Gbps) DDoS attacks. Apparently >>> because the industry jumped on securing open NTP servers. And even though >>> SSDP provides less amplification than NTP, there are more targets and they >>> are mostly home routers which consumers are not going to patch even if >>> there is patched firmware available. Plus UDP makes it easier to spoof the >>> source IP. >>> >>> So I must have missed that UDP port 1900 is the new target for >>> amplification. >>> >>> I did a quick torch and saw a bunch of traffic on udp/1900, some inbound >>> only which I assume are scans, some bidirectional which I’m thinking is >>> suspicious but maybe some port 1900 traffic is normal because it is in the >>> >1024 ephemeral port range. >>> >>> I went and signed up for ShadowServer, figuring they will tell me what >>> IPs were responding to SSDP requests on what date and I can track down the >>> customer. Anyone have a better approach? If you identify customers with >>> UPnP open to the outside, are you contacting them and pushing them to fix >>> it? >>> >>> It’s just amazing to me that some routers would have UPnP open on the >>> WAN side. What’s wrong with these companies? I saw DLink mentioned, and >>> sure enough, when I torched for udp/1900, I saw a lot of connections for a >>> customer that I seem to remember has a DLink DIR-655. >>> >>> >>> *From:* Jaime Solorza via Af <af@afmug.com> >>> *Sent:* Monday, December 22, 2014 7:58 PM >>> *To:* Animal Farm <af@afmug.com> >>> *Subject:* Re: [AFMUG] North Korea is down.... >>> >>> linksys modems for backhauls >>> >>> Jaime Solorza >>> Wireless Systems Architect >>> 915-861-1390 >>> >>> On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications >>> Inc via Af <af@afmug.com> wrote: >>> >>>> No! No! They have Comcast Cable and Century Link DSL. Normal stuff. >>>> >>>> >>>> >>>> *Tyson Burris, President* >>>> *Internet Communications Inc.* >>>> *739 Commerce Dr.* >>>> *Franklin, IN 46131* >>>> >>>> *317-738-0320 <317-738-0320> Daytime #* >>>> *317-412-1540 <317-412-1540> Cell/Direct #* >>>> *Online: **www.surfici.net* <http://www.surfici.net/> >>>> >>>> >>>> >>>> <image001.png> >>>> >>>> *What can ICI do for you?* >>>> >>>> >>>> *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - >>>> IP Security - Fiber - Tower - Infrastructure.* >>>> >>>> *CONFIDENTIALITY NOTICE: This e-mail is intended for the* >>>> *addressee shown. It contains information that is* >>>> *confidential and protected from disclosure. Any review,* >>>> *dissemination or use of this transmission or its contents by* >>>> *unauthorized organizations or individuals is strictly* >>>> *prohibited.* >>>> >>>> >>>> >>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Travis Johnson >>>> via Af >>>> *Sent:* Monday, December 22, 2014 4:24 PM >>>> *To:* af@afmug.com >>>> *Subject:* Re: [AFMUG] North Korea is down.... >>>> >>>> >>>> >>>> The FBI setup a P2P server in North Korea with the Sony movie as the >>>> only download. LOL >>>> >>>> Travis >>>> >>>> On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: >>>> >>>> >>>> What did we do? Lol. How did we do it ? >>>> >>>> Sent from my Verizon Wireless 4G LTE Smartphone >>>> >>>> >>>> >>> >>> >> >> > > -- > All parts should go together without forcing. You must remember that the > parts you are reassembling were disassembled by you. Therefore, if you > can't get them together again, there must be a reason. By all means, do not > use a hammer. -- IBM maintenance manual, 1925 >
