[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Thank you, Comcast.

Subject: Thank you, Comcast.
From: rdobbins at arbor.net (Roland Dobbins)
Date: Fri, 26 Feb 2016 23:51:57 +0700
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <D2F5D3C1.129888%[email protected]> <[email protected]>

On 26 Feb 2016, at 23:44, Blake Hudson wrote:

> Jason, how do you propose to block SSDP without also blocking 
> legitimate traffic as well (since SSDP uses a port > 1024 and is used 
> as part of the ephemeral port range on some devices) ?

I'm not Jason, but blocking specific port-pairs such as UDP/80 ---> 
UDP/1900 and UDP/443 ---> UDP/1900 solves close to 90% of the problem, 
as UDP/80 and UDP/443 are the most common destination ports leveraged in 
this type of attack.

For an explanation of how UDP reflection/amplification attacks work, see 
this .pdf preso:

<https://app.box.com/s/r7an1moswtc7ce58f8gg>

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>

References:
- Thank you, Comcast.
  - From: mcole.mailinglists at gmail.com (Maxwell Cole)
- Thank you, Comcast.
  - From: kmedcalf at dessus.com (Keith Medcalf)
- Thank you, Comcast.
  - From: Jason_Livingood at comcast.com (Livingood, Jason)
- Thank you, Comcast.
  - From: blake at ispn.net (Blake Hudson)

Prev by Date: Thank you, Comcast.
Next by Date: Thank you, Comcast.
Previous by thread: Thank you, Comcast.
Next by thread: Thank you, Comcast.
Index(es):
- Date
- Thread