Re: [AFMUG] North Korea is down....
The FBI setup a P2P server in North Korea with the Sony movie as the only download. LOL Travis On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: What did we do? Lol. How did we do it ? Sent from my Verizon Wireless 4G LTE Smartphone
Re: [AFMUG] North Korea is down....
No! No! They have Comcast Cable and Century Link DSL. Normal stuff. Tyson Burris, President Internet Communications Inc. 739 Commerce Dr. Franklin, IN 46131 317-738-0320 Daytime # 317-412-1540 Cell/Direct # Online: www.surfici.net What can ICI do for you? Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure. CONFIDENTIALITY NOTICE: This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by unauthorized organizations or individuals is strictly prohibited. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Travis Johnson via Af Sent: Monday, December 22, 2014 4:24 PM To: af@afmug.com Subject: Re: [AFMUG] North Korea is down The FBI setup a P2P server in North Korea with the Sony movie as the only download. LOL Travis On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: What did we do? Lol. How did we do it ? Sent from my Verizon Wireless 4G LTE Smartphone
Re: [AFMUG] North Korea is down....
I just last night discovered their national news outlet. KCNA, It reads like a satire news site. A-Freaking-mazing! But this morning supposedly south koreas nuclear program was hacked with a release of blueprints and employee data, I would bet this is a retaliatory response, or North Korea is saturating their hughesnet connection downloading the manuals for the sony playstation and the roku On Mon, Dec 22, 2014 at 3:48 PM, Tyson Burris @ Internet Communications Inc via Af wrote: > > No! No! They have Comcast Cable and Century Link DSL. Normal stuff. > > > > *Tyson Burris, President* > *Internet Communications Inc.* > *739 Commerce Dr.* > *Franklin, IN 46131* > > *317-738-0320 <317-738-0320> Daytime #* > *317-412-1540 <317-412-1540> Cell/Direct #* > *Online: **www.surfici.net* <http://www.surfici.net> > > > > [image: ICI] > > *What can ICI do for you?* > > > *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP > Security - Fiber - Tower - Infrastructure.* > > *CONFIDENTIALITY NOTICE: This e-mail is intended for the* > *addressee shown. It contains information that is* > *confidential and protected from disclosure. Any review,* > *dissemination or use of this transmission or its contents by* > *unauthorized organizations or individuals is strictly* > *prohibited.* > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Travis Johnson > via Af > *Sent:* Monday, December 22, 2014 4:24 PM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] North Korea is down > > > > The FBI setup a P2P server in North Korea with the Sony movie as the only > download. LOL > > Travis > > On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: > > > What did we do? Lol. How did we do it ? > > Sent from my Verizon Wireless 4G LTE Smartphone > > > -- All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer. -- IBM maintenance manual, 1925
Re: [AFMUG] North Korea is down....
I have doubts that we had anything to do with it. They were just saying on PBS that the whole country has something like a /22 (1000 IP addresses), and they all go through China. My personal opinion is that it's all under China's control, and they would be happy if the rest of the world came to the conclusion that this was us. -- bp On 12/22/2014 1:08 PM, CBB - Jay Fuller via Af wrote: What did we do? Lol. How did we do it ? Sent from my Verizon Wireless 4G LTE Smartphone
Re: [AFMUG] North Korea is down....
I like the idea of saturating the theaters with "TEAM AMERICA" : ) I had tears I laughed so hard when I first saw that show.. My last tour the guys were all chanting the theme song to it. When I asked about it I got the front row treatment of a portable dvd player and bed sheet for a Screen. They used a portable speaker for the audio. After it was over I could not stop rollin.. Good times.. good times. On 12/22/2014 4:23 PM, That One Guy via Af wrote: I just last night discovered their national news outlet. KCNA, It reads like a satire news site. A-Freaking-mazing! But this morning supposedly south koreas nuclear program was hacked with a release of blueprints and employee data, I would bet this is a retaliatory response, or North Korea is saturating their hughesnet connection downloading the manuals for the sony playstation and the roku On Mon, Dec 22, 2014 at 3:48 PM, Tyson Burris @ Internet Communications Inc via Af mailto:af@afmug.com>> wrote: No! No! They have Comcast Cable and Century Link DSL. Normal stuff. *Tyson Burris, President** **Internet Communications Inc.** **739 Commerce Dr.** **Franklin, IN 46131** *** *317-738-0320 Daytime #* *317-412-1540 Cell/Direct #* *Online: **www.surfici.net* <http://www.surfici.net> ICI *What can ICI do for you?* *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure.* ** *CONFIDENTIALITY NOTICE: This e-mail is intended for the* *addressee shown. It contains information that is* *confidential and protected from disclosure. Any review,* *dissemination or use of this transmission or its contents by* *unauthorized organizations or individuals is strictly* *prohibited.* *From:*Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] *On Behalf Of *Travis Johnson via Af *Sent:* Monday, December 22, 2014 4:24 PM *To:* af@afmug.com <mailto:af@afmug.com> *Subject:* Re: [AFMUG] North Korea is down The FBI setup a P2P server in North Korea with the Sony movie as the only download. LOL Travis On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: What did we do? Lol. How did we do it ? Sent from my Verizon Wireless 4G LTE Smartphone -- All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer. -- IBM maintenance manual, 1925 --
Re: [AFMUG] North Korea is down....
linksys modems for backhauls Jaime Solorza Wireless Systems Architect 915-861-1390 On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications Inc via Af wrote: > No! No! They have Comcast Cable and Century Link DSL. Normal stuff. > > > > *Tyson Burris, President* > *Internet Communications Inc.* > *739 Commerce Dr.* > *Franklin, IN 46131* > > *317-738-0320 <317-738-0320> Daytime #* > *317-412-1540 <317-412-1540> Cell/Direct #* > *Online: **www.surfici.net* <http://www.surfici.net> > > > > [image: ICI] > > *What can ICI do for you?* > > > *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP > Security - Fiber - Tower - Infrastructure.* > > *CONFIDENTIALITY NOTICE: This e-mail is intended for the* > *addressee shown. It contains information that is* > *confidential and protected from disclosure. Any review,* > *dissemination or use of this transmission or its contents by* > *unauthorized organizations or individuals is strictly* > *prohibited.* > > > > *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Travis Johnson > via Af > *Sent:* Monday, December 22, 2014 4:24 PM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] North Korea is down > > > > The FBI setup a P2P server in North Korea with the Sony movie as the only > download. LOL > > Travis > > On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: > > > What did we do? Lol. How did we do it ? > > Sent from my Verizon Wireless 4G LTE Smartphone > > >
Re: [AFMUG] North Korea is down....
I read somewhere, I think maybe Ars, that the DDoS attack has been going on for several days and is using primarily NTP and SSDP (UPnP discovery protocol) amplification. And that SSDP has succeeded NTP and DNS as the amplification method for big (> 1Gbps) DDoS attacks. Apparently because the industry jumped on securing open NTP servers. And even though SSDP provides less amplification than NTP, there are more targets and they are mostly home routers which consumers are not going to patch even if there is patched firmware available. Plus UDP makes it easier to spoof the source IP. So I must have missed that UDP port 1900 is the new target for amplification. I did a quick torch and saw a bunch of traffic on udp/1900, some inbound only which I assume are scans, some bidirectional which I’m thinking is suspicious but maybe some port 1900 traffic is normal because it is in the >1024 ephemeral port range. I went and signed up for ShadowServer, figuring they will tell me what IPs were responding to SSDP requests on what date and I can track down the customer. Anyone have a better approach? If you identify customers with UPnP open to the outside, are you contacting them and pushing them to fix it? It’s just amazing to me that some routers would have UPnP open on the WAN side. What’s wrong with these companies? I saw DLink mentioned, and sure enough, when I torched for udp/1900, I saw a lot of connections for a customer that I seem to remember has a DLink DIR-655. From: Jaime Solorza via Af Sent: Monday, December 22, 2014 7:58 PM To: Animal Farm Subject: Re: [AFMUG] North Korea is down linksys modems for backhauls Jaime Solorza Wireless Systems Architect 915-861-1390 On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications Inc via Af wrote: No! No! They have Comcast Cable and Century Link DSL. Normal stuff. Tyson Burris, President Internet Communications Inc. 739 Commerce Dr. Franklin, IN 46131 317-738-0320 Daytime # 317-412-1540 Cell/Direct # Online: www.surfici.net What can ICI do for you? Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure. CONFIDENTIALITY NOTICE: This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by unauthorized organizations or individuals is strictly prohibited. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Travis Johnson via Af Sent: Monday, December 22, 2014 4:24 PM To: af@afmug.com Subject: Re: [AFMUG] North Korea is down The FBI setup a P2P server in North Korea with the Sony movie as the only download. LOL Travis On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: What did we do? Lol. How did we do it ? Sent from my Verizon Wireless 4G LTE Smartphone
Re: [AFMUG] North Korea is down....
After seeing suspicious traffic I have dropped UDP port 1900 globally with no ill-effects. I have dropepd over 300 GB of that traffic this month. -Ty On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af wrote: > > I read somewhere, I think maybe Ars, that the DDoS attack has been > going on for several days and is using primarily NTP and SSDP (UPnP > discovery protocol) amplification. And that SSDP has succeeded NTP and DNS > as the amplification method for big (> 1Gbps) DDoS attacks. Apparently > because the industry jumped on securing open NTP servers. And even though > SSDP provides less amplification than NTP, there are more targets and they > are mostly home routers which consumers are not going to patch even if > there is patched firmware available. Plus UDP makes it easier to spoof the > source IP. > > So I must have missed that UDP port 1900 is the new target for > amplification. > > I did a quick torch and saw a bunch of traffic on udp/1900, some inbound > only which I assume are scans, some bidirectional which I’m thinking is > suspicious but maybe some port 1900 traffic is normal because it is in the > >1024 ephemeral port range. > > I went and signed up for ShadowServer, figuring they will tell me what IPs > were responding to SSDP requests on what date and I can track down the > customer. Anyone have a better approach? If you identify customers with > UPnP open to the outside, are you contacting them and pushing them to fix > it? > > It’s just amazing to me that some routers would have UPnP open on the WAN > side. What’s wrong with these companies? I saw DLink mentioned, and sure > enough, when I torched for udp/1900, I saw a lot of connections for a > customer that I seem to remember has a DLink DIR-655. > > > *From:* Jaime Solorza via Af > *Sent:* Monday, December 22, 2014 7:58 PM > *To:* Animal Farm > *Subject:* Re: [AFMUG] North Korea is down > > linksys modems for backhauls > > Jaime Solorza > Wireless Systems Architect > 915-861-1390 > > On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications > Inc via Af wrote: > >> No! No! They have Comcast Cable and Century Link DSL. Normal stuff. >> >> >> >> *Tyson Burris, President* >> *Internet Communications Inc.* >> *739 Commerce Dr.* >> *Franklin, IN 46131* >> >> *317-738-0320 <317-738-0320> Daytime #* >> *317-412-1540 <317-412-1540> Cell/Direct #* >> *Online: **www.surfici.net* <http://www.surfici.net> >> >> >> >> [image: ICI] >> >> *What can ICI do for you?* >> >> >> *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - >> IP Security - Fiber - Tower - Infrastructure.* >> >> *CONFIDENTIALITY NOTICE: This e-mail is intended for the* >> *addressee shown. It contains information that is* >> *confidential and protected from disclosure. Any review,* >> *dissemination or use of this transmission or its contents by* >> *unauthorized organizations or individuals is strictly* >> *prohibited.* >> >> >> >> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Travis Johnson >> via Af >> *Sent:* Monday, December 22, 2014 4:24 PM >> *To:* af@afmug.com >> *Subject:* Re: [AFMUG] North Korea is down >> >> >> >> The FBI setup a P2P server in North Korea with the Sony movie as the only >> download. LOL >> >> Travis >> >> On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: >> >> >> What did we do? Lol. How did we do it ? >> >> Sent from my Verizon Wireless 4G LTE Smartphone >> >> >> > >
Re: [AFMUG] North Korea is down....
I guess it could be treated like 137/138/139/445 which do not belong on the public Internet, I would feel better about blocking if it was a low numbered port. Are you blocking it inbound to your network, or also outbound? From: Ty Featherling via Af Sent: Tuesday, December 23, 2014 9:06 AM To: af@afmug.com Subject: Re: [AFMUG] North Korea is down After seeing suspicious traffic I have dropped UDP port 1900 globally with no ill-effects. I have dropepd over 300 GB of that traffic this month. -Ty On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af wrote: I read somewhere, I think maybe Ars, that the DDoS attack has been going on for several days and is using primarily NTP and SSDP (UPnP discovery protocol) amplification. And that SSDP has succeeded NTP and DNS as the amplification method for big (> 1Gbps) DDoS attacks. Apparently because the industry jumped on securing open NTP servers. And even though SSDP provides less amplification than NTP, there are more targets and they are mostly home routers which consumers are not going to patch even if there is patched firmware available. Plus UDP makes it easier to spoof the source IP. So I must have missed that UDP port 1900 is the new target for amplification. I did a quick torch and saw a bunch of traffic on udp/1900, some inbound only which I assume are scans, some bidirectional which I’m thinking is suspicious but maybe some port 1900 traffic is normal because it is in the >1024 ephemeral port range. I went and signed up for ShadowServer, figuring they will tell me what IPs were responding to SSDP requests on what date and I can track down the customer. Anyone have a better approach? If you identify customers with UPnP open to the outside, are you contacting them and pushing them to fix it? It’s just amazing to me that some routers would have UPnP open on the WAN side. What’s wrong with these companies? I saw DLink mentioned, and sure enough, when I torched for udp/1900, I saw a lot of connections for a customer that I seem to remember has a DLink DIR-655. From: Jaime Solorza via Af Sent: Monday, December 22, 2014 7:58 PM To: Animal Farm Subject: Re: [AFMUG] North Korea is down linksys modems for backhauls Jaime Solorza Wireless Systems Architect 915-861-1390 On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications Inc via Af wrote: No! No! They have Comcast Cable and Century Link DSL. Normal stuff. Tyson Burris, President Internet Communications Inc. 739 Commerce Dr. Franklin, IN 46131 317-738-0320 Daytime # 317-412-1540 Cell/Direct # Online: www.surfici.net What can ICI do for you? Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure. CONFIDENTIALITY NOTICE: This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by unauthorized organizations or individuals is strictly prohibited. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Travis Johnson via Af Sent: Monday, December 22, 2014 4:24 PM To: af@afmug.com Subject: Re: [AFMUG] North Korea is down The FBI setup a P2P server in North Korea with the Sony movie as the only download. LOL Travis On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: What did we do? Lol. How did we do it ? Sent from my Verizon Wireless 4G LTE Smartphone
Re: [AFMUG] North Korea is down....
Both. I'm rate-limiting SNMP and DNS for dDOS reasons as well. -Ty On Tue, Dec 23, 2014 at 9:19 AM, Ken Hohhof via Af wrote: > > I guess it could be treated like 137/138/139/445 which do not belong on > the public Internet, I would feel better about blocking if it was a low > numbered port. > > Are you blocking it inbound to your network, or also outbound? > > > *From:* Ty Featherling via Af > *Sent:* Tuesday, December 23, 2014 9:06 AM > *To:* af@afmug.com > *Subject:* Re: [AFMUG] North Korea is down > > After seeing suspicious traffic I have dropped UDP port 1900 globally > with no ill-effects. I have dropepd over 300 GB of that traffic this month. > > -Ty > > On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af wrote: > >> I read somewhere, I think maybe Ars, that the DDoS attack has been >> going on for several days and is using primarily NTP and SSDP (UPnP >> discovery protocol) amplification. And that SSDP has succeeded NTP and DNS >> as the amplification method for big (> 1Gbps) DDoS attacks. Apparently >> because the industry jumped on securing open NTP servers. And even though >> SSDP provides less amplification than NTP, there are more targets and they >> are mostly home routers which consumers are not going to patch even if >> there is patched firmware available. Plus UDP makes it easier to spoof the >> source IP. >> >> So I must have missed that UDP port 1900 is the new target for >> amplification. >> >> I did a quick torch and saw a bunch of traffic on udp/1900, some inbound >> only which I assume are scans, some bidirectional which I’m thinking is >> suspicious but maybe some port 1900 traffic is normal because it is in the >> >1024 ephemeral port range. >> >> I went and signed up for ShadowServer, figuring they will tell me what >> IPs were responding to SSDP requests on what date and I can track down the >> customer. Anyone have a better approach? If you identify customers with >> UPnP open to the outside, are you contacting them and pushing them to fix >> it? >> >> It’s just amazing to me that some routers would have UPnP open on the WAN >> side. What’s wrong with these companies? I saw DLink mentioned, and sure >> enough, when I torched for udp/1900, I saw a lot of connections for a >> customer that I seem to remember has a DLink DIR-655. >> >> >> *From:* Jaime Solorza via Af >> *Sent:* Monday, December 22, 2014 7:58 PM >> *To:* Animal Farm >> *Subject:* Re: [AFMUG] North Korea is down >> >> linksys modems for backhauls >> >> Jaime Solorza >> Wireless Systems Architect >> 915-861-1390 >> >> On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications >> Inc via Af wrote: >> >>> No! No! They have Comcast Cable and Century Link DSL. Normal stuff. >>> >>> >>> >>> *Tyson Burris, President* >>> *Internet Communications Inc.* >>> *739 Commerce Dr.* >>> *Franklin, IN 46131* >>> >>> *317-738-0320 <317-738-0320> Daytime #* >>> *317-412-1540 <317-412-1540> Cell/Direct #* >>> *Online: **www.surfici.net* <http://www.surfici.net> >>> >>> >>> >>> [image: ICI] >>> >>> *What can ICI do for you?* >>> >>> >>> *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - >>> IP Security - Fiber - Tower - Infrastructure.* >>> >>> *CONFIDENTIALITY NOTICE: This e-mail is intended for the* >>> *addressee shown. It contains information that is* >>> *confidential and protected from disclosure. Any review,* >>> *dissemination or use of this transmission or its contents by* >>> *unauthorized organizations or individuals is strictly* >>> *prohibited.* >>> >>> >>> >>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Travis Johnson >>> via Af >>> *Sent:* Monday, December 22, 2014 4:24 PM >>> *To:* af@afmug.com >>> *Subject:* Re: [AFMUG] North Korea is down >>> >>> >>> >>> The FBI setup a P2P server in North Korea with the Sony movie as the >>> only download. LOL >>> >>> Travis >>> >>> On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: >>> >>> >>> What did we do? Lol. How did we do it ? >>> >>> Sent from my Verizon Wireless 4G LTE Smartphone >>> >>> >>> >> >> >
Re: [AFMUG] North Korea is down....
We've seen at least a couple of the port 1900 attacks. I also notice that there are fresh ntp updates in CentOS. -- bp On 12/22/2014 7:36 PM, Ken Hohhof via Af wrote: I read somewhere, I think maybe Ars, that the DDoS attack has been going on for several days and is using primarily NTP and SSDP (UPnP discovery protocol) amplification. And that SSDP has succeeded NTP and DNS as the amplification method for big (> 1Gbps) DDoS attacks. Apparently because the industry jumped on securing open NTP servers. And even though SSDP provides less amplification than NTP, there are more targets and they are mostly home routers which consumers are not going to patch even if there is patched firmware available. Plus UDP makes it easier to spoof the source IP. So I must have missed that UDP port 1900 is the new target for amplification. I did a quick torch and saw a bunch of traffic on udp/1900, some inbound only which I assume are scans, some bidirectional which I’m thinking is suspicious but maybe some port 1900 traffic is normal because it is in the >1024 ephemeral port range. I went and signed up for ShadowServer, figuring they will tell me what IPs were responding to SSDP requests on what date and I can track down the customer. Anyone have a better approach? If you identify customers with UPnP open to the outside, are you contacting them and pushing them to fix it? It’s just amazing to me that some routers would have UPnP open on the WAN side. What’s wrong with these companies? I saw DLink mentioned, and sure enough, when I torched for udp/1900, I saw a lot of connections for a customer that I seem to remember has a DLink DIR-655. *From:* Jaime Solorza via Af <mailto:af@afmug.com> *Sent:* Monday, December 22, 2014 7:58 PM *To:* Animal Farm <mailto:af@afmug.com> *Subject:* Re: [AFMUG] North Korea is down linksys modems for backhauls Jaime Solorza Wireless Systems Architect 915-861-1390 On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications Inc via Af mailto:af@afmug.com>> wrote: No! No! They have Comcast Cable and Century Link DSL. Normal stuff. *Tyson Burris, President** **Internet Communications Inc.** **739 Commerce Dr.** **Franklin, IN 46131** *** *317-738-0320 Daytime #* *317-412-1540 Cell/Direct #* *Online: **www.surfici.net* <http://www.surfici.net> ICI *What can ICI do for you?* *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure.* ** *CONFIDENTIALITY NOTICE: This e-mail is intended for the* *addressee shown. It contains information that is* *confidential and protected from disclosure. Any review,* *dissemination or use of this transmission or its contents by* *unauthorized organizations or individuals is strictly* *prohibited.* *From:*Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] *On Behalf Of *Travis Johnson via Af *Sent:* Monday, December 22, 2014 4:24 PM *To:* af@afmug.com <mailto:af@afmug.com> *Subject:* Re: [AFMUG] North Korea is down The FBI setup a P2P server in North Korea with the Sony movie as the only download. LOL Travis On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: What did we do? Lol. How did we do it ? Sent from my Verizon Wireless 4G LTE Smartphone
Re: [AFMUG] North Korea is down....
UDP 1900 is ephemeral port, and a low number. Many network stacks pick ports sequentially above 1025 which means some portion of legitimate traffic is going to be dropped if you block just based on UDP 1900. It will cause intermittent and unpredictable failures for applications and it will likely be very difficult to troubleshoot since the issue will be short lived in most cases. You probably want to consider a more specific filter looking deeper in the packet. Mark > On Dec 23, 2014, at 10:06 AM, Ty Featherling via Af wrote: > > After seeing suspicious traffic I have dropped UDP port 1900 globally with no > ill-effects. I have dropepd over 300 GB of that traffic this month. > > -Ty > > On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af <mailto:af@afmug.com>> wrote: > I read somewhere, I think maybe Ars, that the DDoS attack has been going on > for several days and is using primarily NTP and SSDP (UPnP discovery > protocol) amplification. And that SSDP has succeeded NTP and DNS as the > amplification method for big (> 1Gbps) DDoS attacks. Apparently because the > industry jumped on securing open NTP servers. And even though SSDP provides > less amplification than NTP, there are more targets and they are mostly home > routers which consumers are not going to patch even if there is patched > firmware available. Plus UDP makes it easier to spoof the source IP. > > So I must have missed that UDP port 1900 is the new target for amplification. > > I did a quick torch and saw a bunch of traffic on udp/1900, some inbound only > which I assume are scans, some bidirectional which I’m thinking is suspicious > but maybe some port 1900 traffic is normal because it is in the >1024 > ephemeral port range. > > I went and signed up for ShadowServer, figuring they will tell me what IPs > were responding to SSDP requests on what date and I can track down the > customer. Anyone have a better approach? If you identify customers with > UPnP open to the outside, are you contacting them and pushing them to fix it? > > It’s just amazing to me that some routers would have UPnP open on the WAN > side. What’s wrong with these companies? I saw DLink mentioned, and sure > enough, when I torched for udp/1900, I saw a lot of connections for a > customer that I seem to remember has a DLink DIR-655. > > > From: Jaime Solorza via Af <mailto:af@afmug.com> > Sent: Monday, December 22, 2014 7:58 PM > To: Animal Farm <mailto:af@afmug.com> > Subject: Re: [AFMUG] North Korea is down > > linksys modems for backhauls > > Jaime Solorza > Wireless Systems Architect > 915-861-1390 > > On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications Inc > via Af mailto:af@afmug.com>> wrote: > No! No! They have Comcast Cable and Century Link DSL. Normal stuff. > > > > Tyson Burris, President > Internet Communications Inc. > 739 Commerce Dr. > Franklin, IN 46131 > > 317-738-0320 Daytime # > 317-412-1540 Cell/Direct # > Online: www.surfici.net <http://www.surfici.net/> > > > > > What can ICI do for you? > > > Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP > Security - Fiber - Tower - Infrastructure. > > CONFIDENTIALITY NOTICE: This e-mail is intended for the > addressee shown. It contains information that is > confidential and protected from disclosure. Any review, > dissemination or use of this transmission or its contents by > unauthorized organizations or individuals is strictly > prohibited. > > > > From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On > Behalf Of Travis Johnson via Af > Sent: Monday, December 22, 2014 4:24 PM > To: af@afmug.com <mailto:af@afmug.com> > Subject: Re: [AFMUG] North Korea is down > > > > The FBI setup a P2P server in North Korea with the Sony movie as the only > download. LOL > > Travis > > On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: > > > What did we do? Lol. How did we do it ? > > Sent from my Verizon Wireless 4G LTE Smartphone > > > >
Re: [AFMUG] North Korea is down....
I understand. Thanks. -Ty On Tue, Dec 23, 2014 at 10:43 AM, Mark Radabaugh via Af wrote: > > UDP 1900 is ephemeral port, and a low number. > > Many network stacks pick ports sequentially above 1025 which means some > portion of legitimate traffic is going to be dropped if you block just > based on UDP 1900. It will cause intermittent and unpredictable failures > for applications and it will likely be very difficult to troubleshoot since > the issue will be short lived in most cases. > > You probably want to consider a more specific filter looking deeper in the > packet. > > Mark > > > > > > On Dec 23, 2014, at 10:06 AM, Ty Featherling via Af wrote: > > After seeing suspicious traffic I have dropped UDP port 1900 globally with > no ill-effects. I have dropepd over 300 GB of that traffic this month. > > -Ty > > On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af wrote: >> >> I read somewhere, I think maybe Ars, that the DDoS attack has been >> going on for several days and is using primarily NTP and SSDP (UPnP >> discovery protocol) amplification. And that SSDP has succeeded NTP and DNS >> as the amplification method for big (> 1Gbps) DDoS attacks. Apparently >> because the industry jumped on securing open NTP servers. And even though >> SSDP provides less amplification than NTP, there are more targets and they >> are mostly home routers which consumers are not going to patch even if >> there is patched firmware available. Plus UDP makes it easier to spoof the >> source IP. >> >> So I must have missed that UDP port 1900 is the new target for >> amplification. >> >> I did a quick torch and saw a bunch of traffic on udp/1900, some inbound >> only which I assume are scans, some bidirectional which I’m thinking is >> suspicious but maybe some port 1900 traffic is normal because it is in the >> >1024 ephemeral port range. >> >> I went and signed up for ShadowServer, figuring they will tell me what >> IPs were responding to SSDP requests on what date and I can track down the >> customer. Anyone have a better approach? If you identify customers with >> UPnP open to the outside, are you contacting them and pushing them to fix >> it? >> >> It’s just amazing to me that some routers would have UPnP open on the WAN >> side. What’s wrong with these companies? I saw DLink mentioned, and sure >> enough, when I torched for udp/1900, I saw a lot of connections for a >> customer that I seem to remember has a DLink DIR-655. >> >> >> *From:* Jaime Solorza via Af >> *Sent:* Monday, December 22, 2014 7:58 PM >> *To:* Animal Farm >> *Subject:* Re: [AFMUG] North Korea is down >> >> linksys modems for backhauls >> >> Jaime Solorza >> Wireless Systems Architect >> 915-861-1390 >> >> On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications >> Inc via Af wrote: >> >>> No! No! They have Comcast Cable and Century Link DSL. Normal stuff. >>> >>> >>> >>> *Tyson Burris, President* >>> *Internet Communications Inc.* >>> *739 Commerce Dr.* >>> *Franklin, IN 46131* >>> >>> *317-738-0320 <317-738-0320> Daytime #* >>> *317-412-1540 <317-412-1540> Cell/Direct #* >>> *Online: **www.surfici.net* <http://www.surfici.net/> >>> >>> >>> >>> >>> >>> *What can ICI do for you?* >>> >>> >>> *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - >>> IP Security - Fiber - Tower - Infrastructure.* >>> >>> *CONFIDENTIALITY NOTICE: This e-mail is intended for the* >>> *addressee shown. It contains information that is* >>> *confidential and protected from disclosure. Any review,* >>> *dissemination or use of this transmission or its contents by* >>> *unauthorized organizations or individuals is strictly* >>> *prohibited.* >>> >>> >>> >>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Travis Johnson >>> via Af >>> *Sent:* Monday, December 22, 2014 4:24 PM >>> *To:* af@afmug.com >>> *Subject:* Re: [AFMUG] North Korea is down >>> >>> >>> >>> The FBI setup a P2P server in North Korea with the Sony movie as the >>> only download. LOL >>> >>> Travis >>> >>> On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: >>> >>> >>> What did we do? Lol. How did we do it ? >>> >>> Sent from my Verizon Wireless 4G LTE Smartphone >>> >>> >>> >> >> > >
Re: [AFMUG] North Korea is down....
So when we get our mikrotiks on the edge of our network we will be able to easily do this magic blocking too? On Tue, Dec 23, 2014 at 10:43 AM, Mark Radabaugh via Af wrote: > > UDP 1900 is ephemeral port, and a low number. > > Many network stacks pick ports sequentially above 1025 which means some > portion of legitimate traffic is going to be dropped if you block just > based on UDP 1900. It will cause intermittent and unpredictable failures > for applications and it will likely be very difficult to troubleshoot since > the issue will be short lived in most cases. > > You probably want to consider a more specific filter looking deeper in the > packet. > > Mark > > > > > > On Dec 23, 2014, at 10:06 AM, Ty Featherling via Af wrote: > > After seeing suspicious traffic I have dropped UDP port 1900 globally with > no ill-effects. I have dropepd over 300 GB of that traffic this month. > > -Ty > > On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af wrote: >> >> I read somewhere, I think maybe Ars, that the DDoS attack has been >> going on for several days and is using primarily NTP and SSDP (UPnP >> discovery protocol) amplification. And that SSDP has succeeded NTP and DNS >> as the amplification method for big (> 1Gbps) DDoS attacks. Apparently >> because the industry jumped on securing open NTP servers. And even though >> SSDP provides less amplification than NTP, there are more targets and they >> are mostly home routers which consumers are not going to patch even if >> there is patched firmware available. Plus UDP makes it easier to spoof the >> source IP. >> >> So I must have missed that UDP port 1900 is the new target for >> amplification. >> >> I did a quick torch and saw a bunch of traffic on udp/1900, some inbound >> only which I assume are scans, some bidirectional which I’m thinking is >> suspicious but maybe some port 1900 traffic is normal because it is in the >> >1024 ephemeral port range. >> >> I went and signed up for ShadowServer, figuring they will tell me what >> IPs were responding to SSDP requests on what date and I can track down the >> customer. Anyone have a better approach? If you identify customers with >> UPnP open to the outside, are you contacting them and pushing them to fix >> it? >> >> It’s just amazing to me that some routers would have UPnP open on the WAN >> side. What’s wrong with these companies? I saw DLink mentioned, and sure >> enough, when I torched for udp/1900, I saw a lot of connections for a >> customer that I seem to remember has a DLink DIR-655. >> >> >> *From:* Jaime Solorza via Af >> *Sent:* Monday, December 22, 2014 7:58 PM >> *To:* Animal Farm >> *Subject:* Re: [AFMUG] North Korea is down >> >> linksys modems for backhauls >> >> Jaime Solorza >> Wireless Systems Architect >> 915-861-1390 >> >> On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications >> Inc via Af wrote: >> >>> No! No! They have Comcast Cable and Century Link DSL. Normal stuff. >>> >>> >>> >>> *Tyson Burris, President* >>> *Internet Communications Inc.* >>> *739 Commerce Dr.* >>> *Franklin, IN 46131* >>> >>> *317-738-0320 <317-738-0320> Daytime #* >>> *317-412-1540 <317-412-1540> Cell/Direct #* >>> *Online: **www.surfici.net* <http://www.surfici.net/> >>> >>> >>> >>> >>> >>> *What can ICI do for you?* >>> >>> >>> *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - >>> IP Security - Fiber - Tower - Infrastructure.* >>> >>> *CONFIDENTIALITY NOTICE: This e-mail is intended for the* >>> *addressee shown. It contains information that is* >>> *confidential and protected from disclosure. Any review,* >>> *dissemination or use of this transmission or its contents by* >>> *unauthorized organizations or individuals is strictly* >>> *prohibited.* >>> >>> >>> >>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Travis Johnson >>> via Af >>> *Sent:* Monday, December 22, 2014 4:24 PM >>> *To:* af@afmug.com >>> *Subject:* Re: [AFMUG] North Korea is down >>> >>> >>> >>> The FBI setup a P2P server in North Korea with the Sony movie as the >>> only download. LOL >>> >>> Travis >>> >>> On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: >>> >>> >>> What did we do? Lol. How did we do it ? >>> >>> Sent from my Verizon Wireless 4G LTE Smartphone >>> >>> >>> >> >> > > -- All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer. -- IBM maintenance manual, 1925
Re: [AFMUG] North Korea is down....
We have blocked 1900 UDP for many years and never have “seen” any side affects from that From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mark Radabaugh via Af Sent: Tuesday, December 23, 2014 11:44 AM To: af@afmug.com Subject: Re: [AFMUG] North Korea is down UDP 1900 is ephemeral port, and a low number. Many network stacks pick ports sequentially above 1025 which means some portion of legitimate traffic is going to be dropped if you block just based on UDP 1900. It will cause intermittent and unpredictable failures for applications and it will likely be very difficult to troubleshoot since the issue will be short lived in most cases. You probably want to consider a more specific filter looking deeper in the packet. Mark On Dec 23, 2014, at 10:06 AM, Ty Featherling via Af mailto:af@afmug.com>> wrote: After seeing suspicious traffic I have dropped UDP port 1900 globally with no ill-effects. I have dropepd over 300 GB of that traffic this month. -Ty On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af mailto:af@afmug.com>> wrote: I read somewhere, I think maybe Ars, that the DDoS attack has been going on for several days and is using primarily NTP and SSDP (UPnP discovery protocol) amplification. And that SSDP has succeeded NTP and DNS as the amplification method for big (> 1Gbps) DDoS attacks. Apparently because the industry jumped on securing open NTP servers. And even though SSDP provides less amplification than NTP, there are more targets and they are mostly home routers which consumers are not going to patch even if there is patched firmware available. Plus UDP makes it easier to spoof the source IP. So I must have missed that UDP port 1900 is the new target for amplification. I did a quick torch and saw a bunch of traffic on udp/1900, some inbound only which I assume are scans, some bidirectional which I’m thinking is suspicious but maybe some port 1900 traffic is normal because it is in the >1024 ephemeral port range. I went and signed up for ShadowServer, figuring they will tell me what IPs were responding to SSDP requests on what date and I can track down the customer. Anyone have a better approach? If you identify customers with UPnP open to the outside, are you contacting them and pushing them to fix it? It’s just amazing to me that some routers would have UPnP open on the WAN side. What’s wrong with these companies? I saw DLink mentioned, and sure enough, when I torched for udp/1900, I saw a lot of connections for a customer that I seem to remember has a DLink DIR-655. From: Jaime Solorza via Af<mailto:af@afmug.com> Sent: Monday, December 22, 2014 7:58 PM To: Animal Farm<mailto:af@afmug.com> Subject: Re: [AFMUG] North Korea is down linksys modems for backhauls Jaime Solorza Wireless Systems Architect 915-861-1390 On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications Inc via Af mailto:af@afmug.com>> wrote: No! No! They have Comcast Cable and Century Link DSL. Normal stuff. Tyson Burris, President Internet Communications Inc. 739 Commerce Dr. Franklin, IN 46131 317-738-0320 Daytime # 317-412-1540 Cell/Direct # Online: www.surfici.net<http://www.surfici.net/> What can ICI do for you? Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - IP Security - Fiber - Tower - Infrastructure. CONFIDENTIALITY NOTICE: This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by unauthorized organizations or individuals is strictly prohibited. From: Af [mailto:af-boun...@afmug.com<mailto:af-boun...@afmug.com>] On Behalf Of Travis Johnson via Af Sent: Monday, December 22, 2014 4:24 PM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] North Korea is down The FBI setup a P2P server in North Korea with the Sony movie as the only download. LOL Travis On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: What did we do? Lol. How did we do it ? Sent from my Verizon Wireless 4G LTE Smartphone
Re: [AFMUG] North Korea is down....
Yes Steve. It is easy. -Ty On Tue, Dec 23, 2014 at 11:18 AM, That One Guy via Af wrote: > > So when we get our mikrotiks on the edge of our network we will be able to > easily do this magic blocking too? > > On Tue, Dec 23, 2014 at 10:43 AM, Mark Radabaugh via Af > wrote: >> >> UDP 1900 is ephemeral port, and a low number. >> >> Many network stacks pick ports sequentially above 1025 which means some >> portion of legitimate traffic is going to be dropped if you block just >> based on UDP 1900. It will cause intermittent and unpredictable failures >> for applications and it will likely be very difficult to troubleshoot since >> the issue will be short lived in most cases. >> >> You probably want to consider a more specific filter looking deeper in >> the packet. >> >> Mark >> >> >> >> >> >> On Dec 23, 2014, at 10:06 AM, Ty Featherling via Af wrote: >> >> After seeing suspicious traffic I have dropped UDP port 1900 globally >> with no ill-effects. I have dropepd over 300 GB of that traffic this month. >> >> -Ty >> >> On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af wrote: >>> >>> I read somewhere, I think maybe Ars, that the DDoS attack has been >>> going on for several days and is using primarily NTP and SSDP (UPnP >>> discovery protocol) amplification. And that SSDP has succeeded NTP and DNS >>> as the amplification method for big (> 1Gbps) DDoS attacks. Apparently >>> because the industry jumped on securing open NTP servers. And even though >>> SSDP provides less amplification than NTP, there are more targets and they >>> are mostly home routers which consumers are not going to patch even if >>> there is patched firmware available. Plus UDP makes it easier to spoof the >>> source IP. >>> >>> So I must have missed that UDP port 1900 is the new target for >>> amplification. >>> >>> I did a quick torch and saw a bunch of traffic on udp/1900, some inbound >>> only which I assume are scans, some bidirectional which I’m thinking is >>> suspicious but maybe some port 1900 traffic is normal because it is in the >>> >1024 ephemeral port range. >>> >>> I went and signed up for ShadowServer, figuring they will tell me what >>> IPs were responding to SSDP requests on what date and I can track down the >>> customer. Anyone have a better approach? If you identify customers with >>> UPnP open to the outside, are you contacting them and pushing them to fix >>> it? >>> >>> It’s just amazing to me that some routers would have UPnP open on the >>> WAN side. What’s wrong with these companies? I saw DLink mentioned, and >>> sure enough, when I torched for udp/1900, I saw a lot of connections for a >>> customer that I seem to remember has a DLink DIR-655. >>> >>> >>> *From:* Jaime Solorza via Af >>> *Sent:* Monday, December 22, 2014 7:58 PM >>> *To:* Animal Farm >>> *Subject:* Re: [AFMUG] North Korea is down >>> >>> linksys modems for backhauls >>> >>> Jaime Solorza >>> Wireless Systems Architect >>> 915-861-1390 >>> >>> On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications >>> Inc via Af wrote: >>> >>>> No! No! They have Comcast Cable and Century Link DSL. Normal stuff. >>>> >>>> >>>> >>>> *Tyson Burris, President* >>>> *Internet Communications Inc.* >>>> *739 Commerce Dr.* >>>> *Franklin, IN 46131* >>>> >>>> *317-738-0320 <317-738-0320> Daytime #* >>>> *317-412-1540 <317-412-1540> Cell/Direct #* >>>> *Online: **www.surfici.net* <http://www.surfici.net/> >>>> >>>> >>>> >>>> >>>> >>>> *What can ICI do for you?* >>>> >>>> >>>> *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - >>>> IP Security - Fiber - Tower - Infrastructure.* >>>> >>>> *CONFIDENTIALITY NOTICE: This e-mail is intended for the* >>>> *addressee shown. It contains information that is* >>>> *confidential and protected from disclosure. Any review,* >>>> *dissemination or use of this transmission or its contents by* >>>> *unauthorized organizations or individuals is strictly* >>>> *prohibited.* >>>> >>>> >>>> >>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Travis Johnson >>>> via Af >>>> *Sent:* Monday, December 22, 2014 4:24 PM >>>> *To:* af@afmug.com >>>> *Subject:* Re: [AFMUG] North Korea is down >>>> >>>> >>>> >>>> The FBI setup a P2P server in North Korea with the Sony movie as the >>>> only download. LOL >>>> >>>> Travis >>>> >>>> On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: >>>> >>>> >>>> What did we do? Lol. How did we do it ? >>>> >>>> Sent from my Verizon Wireless 4G LTE Smartphone >>>> >>>> >>>> >>> >>> >> >> > > -- > All parts should go together without forcing. You must remember that the > parts you are reassembling were disassembled by you. Therefore, if you > can't get them together again, there must be a reason. By all means, do not > use a hammer. -- IBM maintenance manual, 1925 >
Re: [AFMUG] North Korea is down....
Im going to be sysadmin for a real ISP sometime soon, sweet! Im getting me a captains hat, a parrot and a pegleg. On Tue, Dec 23, 2014 at 2:42 PM, Ty Featherling via Af wrote: > > Yes Steve. It is easy. > > -Ty > > On Tue, Dec 23, 2014 at 11:18 AM, That One Guy via Af > wrote: >> >> So when we get our mikrotiks on the edge of our network we will be able >> to easily do this magic blocking too? >> >> On Tue, Dec 23, 2014 at 10:43 AM, Mark Radabaugh via Af >> wrote: >> >>> UDP 1900 is ephemeral port, and a low number. >>> >>> Many network stacks pick ports sequentially above 1025 which means some >>> portion of legitimate traffic is going to be dropped if you block just >>> based on UDP 1900. It will cause intermittent and unpredictable failures >>> for applications and it will likely be very difficult to troubleshoot since >>> the issue will be short lived in most cases. >>> >>> You probably want to consider a more specific filter looking deeper in >>> the packet. >>> >>> Mark >>> >>> >>> >>> >>> >>> On Dec 23, 2014, at 10:06 AM, Ty Featherling via Af >>> wrote: >>> >>> After seeing suspicious traffic I have dropped UDP port 1900 globally >>> with no ill-effects. I have dropepd over 300 GB of that traffic this month. >>> >>> -Ty >>> >>> On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af wrote: >>>> >>>> I read somewhere, I think maybe Ars, that the DDoS attack has been >>>> going on for several days and is using primarily NTP and SSDP (UPnP >>>> discovery protocol) amplification. And that SSDP has succeeded NTP and DNS >>>> as the amplification method for big (> 1Gbps) DDoS attacks. Apparently >>>> because the industry jumped on securing open NTP servers. And even though >>>> SSDP provides less amplification than NTP, there are more targets and they >>>> are mostly home routers which consumers are not going to patch even if >>>> there is patched firmware available. Plus UDP makes it easier to spoof the >>>> source IP. >>>> >>>> So I must have missed that UDP port 1900 is the new target for >>>> amplification. >>>> >>>> I did a quick torch and saw a bunch of traffic on udp/1900, some >>>> inbound only which I assume are scans, some bidirectional which I’m >>>> thinking is suspicious but maybe some port 1900 traffic is normal because >>>> it is in the >1024 ephemeral port range. >>>> >>>> I went and signed up for ShadowServer, figuring they will tell me what >>>> IPs were responding to SSDP requests on what date and I can track down the >>>> customer. Anyone have a better approach? If you identify customers with >>>> UPnP open to the outside, are you contacting them and pushing them to fix >>>> it? >>>> >>>> It’s just amazing to me that some routers would have UPnP open on the >>>> WAN side. What’s wrong with these companies? I saw DLink mentioned, and >>>> sure enough, when I torched for udp/1900, I saw a lot of connections for a >>>> customer that I seem to remember has a DLink DIR-655. >>>> >>>> >>>> *From:* Jaime Solorza via Af >>>> *Sent:* Monday, December 22, 2014 7:58 PM >>>> *To:* Animal Farm >>>> *Subject:* Re: [AFMUG] North Korea is down >>>> >>>> linksys modems for backhauls >>>> >>>> Jaime Solorza >>>> Wireless Systems Architect >>>> 915-861-1390 >>>> >>>> On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications >>>> Inc via Af wrote: >>>> >>>>> No! No! They have Comcast Cable and Century Link DSL. Normal stuff. >>>>> >>>>> >>>>> >>>>> *Tyson Burris, President* >>>>> *Internet Communications Inc.* >>>>> *739 Commerce Dr.* >>>>> *Franklin, IN 46131* >>>>> >>>>> *317-738-0320 <317-738-0320> Daytime #* >>>>> *317-412-1540 <317-412-1540> Cell/Direct #* >>>>> *Online: **www.surfici.net* <http://www.surfici.net/> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *What can ICI do for you?* >>>>> >>>>> >>>>> *
