Livingood, Jason wrote on 2/26/2016 1:32 PM:
On 2/26/16, 11:44 AM, "Blake Hudson" <bl...@ispn.net
<mailto:bl...@ispn.net>> wrote:
Jason, how do you propose to block SSDP without also blocking
legitimate traffic as well (since SSDP uses a port > 1024 and is
used as part of the ephemeral port range on some devices) ?
As Roland suggested, very likely via UDP/1900. This will obviously be
disclosed in advance to customers and tested thoroughly. I believe a
few other ISPs have already taken this step.
And is this practice /Open Internet/ friendly?
Port blocking is considered a form of reasonable network management
provided it can be justified by security or operational stability
reasons. Of course it must also be transparently disclosed and so on.
Jason
The difference in blocking any of the existing ports on your list and
blocking UDP/1900 is that the ports on your list are all registered
ports. Port 1900 is not registered - a host may use port 1900 when
making an outbound connection to another host (lookup ephemeral port
range for more info) regardless of whether either host is using or
running an SSDP server. A block on port 1900 will result in blocking
legitimate customer traffic if the customer's device happened to select
port 1900 as parts of its ephemeral port range.
To my knowledge, a current Windows, Linux, Apple device will not use
port 1900 as part of its ephemeral port range, but Wikipedia suggests XP
and older Windows operating systems will and I know that many NAT
routers will (which affects all clients behind that NAT router,
regardless of their OS). I have no idea what popular mobile clients use
for their ephemeral port ranges. I imagine the NAT routers will be most
common actors using ports outside of the IANA suggested ephemeral port
range. Do you suggest that it is "reasonable network management" that
users behind a NAT router have their 876th (1900 - 1024) UDP connection
attempt blocked?
--Blake
