Blocked ssdp and move on Ssdp is a horrible ddos vector
Comcast and many others already block it, because is the smart and best thing to do https://www.xfinity.com/support/articles/list-of-blocked-ports On Mon, Mar 25, 2019 at 1:30 AM marcel.duregards--- via NANOG < nanog@nanog.org> wrote: > Dear Community, > > We see more and more SSDP 'scan' in our network (coming from outside > into our AS). Of course our client have open vulnerables boxes (last one > is an enterprise class Synology with all defaults ports open:-)) which > could be used as a reflection SSDP client. > > As SSDP is used with PnP for local LAN service discovery, we are > thinking of: > > 1) educate our client (take a lot of time) > 2) filter incoming SSDP packets (UDP port 1900 at least) in our bgp border > > We see option 2 as a good action to remove our autonomous systeme from > potential sources of DDOS SSDP source toward the Internet. > Of course this might (very few chance) open others problems with clients > which use this port as an obfuscation port, but anyhow it would not be a > good idea as it is a registered IANA port. > We could think of filtering also incoming port 5000 (UPnP), but it is > the default port that Synology decide to use (WHY???? so many trojan use > this) for the DSM login into the UI. > > What do you think ? > > Thank, best regards, > > -- > Marcel >
