Both. I'm rate-limiting SNMP and DNS for dDOS reasons as well. -Ty
On Tue, Dec 23, 2014 at 9:19 AM, Ken Hohhof via Af <[email protected]> wrote: > > I guess it could be treated like 137/138/139/445 which do not belong on > the public Internet, I would feel better about blocking if it was a low > numbered port. > > Are you blocking it inbound to your network, or also outbound? > > > *From:* Ty Featherling via Af <[email protected]> > *Sent:* Tuesday, December 23, 2014 9:06 AM > *To:* [email protected] > *Subject:* Re: [AFMUG] North Korea is down.... > > After seeing suspicious traffic I have dropped UDP port 1900 globally > with no ill-effects. I have dropepd over 300 GB of that traffic this month. > > -Ty > > On Mon, Dec 22, 2014 at 9:36 PM, Ken Hohhof via Af <[email protected]> wrote: > >> I read somewhere, I think maybe Ars, that the DDoS attack has been >> going on for several days and is using primarily NTP and SSDP (UPnP >> discovery protocol) amplification. And that SSDP has succeeded NTP and DNS >> as the amplification method for big (> 1Gbps) DDoS attacks. Apparently >> because the industry jumped on securing open NTP servers. And even though >> SSDP provides less amplification than NTP, there are more targets and they >> are mostly home routers which consumers are not going to patch even if >> there is patched firmware available. Plus UDP makes it easier to spoof the >> source IP. >> >> So I must have missed that UDP port 1900 is the new target for >> amplification. >> >> I did a quick torch and saw a bunch of traffic on udp/1900, some inbound >> only which I assume are scans, some bidirectional which I’m thinking is >> suspicious but maybe some port 1900 traffic is normal because it is in the >> >1024 ephemeral port range. >> >> I went and signed up for ShadowServer, figuring they will tell me what >> IPs were responding to SSDP requests on what date and I can track down the >> customer. Anyone have a better approach? If you identify customers with >> UPnP open to the outside, are you contacting them and pushing them to fix >> it? >> >> It’s just amazing to me that some routers would have UPnP open on the WAN >> side. What’s wrong with these companies? I saw DLink mentioned, and sure >> enough, when I torched for udp/1900, I saw a lot of connections for a >> customer that I seem to remember has a DLink DIR-655. >> >> >> *From:* Jaime Solorza via Af <[email protected]> >> *Sent:* Monday, December 22, 2014 7:58 PM >> *To:* Animal Farm <[email protected]> >> *Subject:* Re: [AFMUG] North Korea is down.... >> >> linksys modems for backhauls >> >> Jaime Solorza >> Wireless Systems Architect >> 915-861-1390 >> >> On Mon, Dec 22, 2014 at 2:48 PM, Tyson Burris @ Internet Communications >> Inc via Af <[email protected]> wrote: >> >>> No! No! They have Comcast Cable and Century Link DSL. Normal stuff. >>> >>> >>> >>> *Tyson Burris, President* >>> *Internet Communications Inc.* >>> *739 Commerce Dr.* >>> *Franklin, IN 46131* >>> >>> *317-738-0320 <317-738-0320> Daytime #* >>> *317-412-1540 <317-412-1540> Cell/Direct #* >>> *Online: **www.surfici.net* <http://www.surfici.net> >>> >>> >>> >>> [image: ICI] >>> >>> *What can ICI do for you?* >>> >>> >>> *Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh Wifi/Hotzones - >>> IP Security - Fiber - Tower - Infrastructure.* >>> >>> *CONFIDENTIALITY NOTICE: This e-mail is intended for the* >>> *addressee shown. It contains information that is* >>> *confidential and protected from disclosure. Any review,* >>> *dissemination or use of this transmission or its contents by* >>> *unauthorized organizations or individuals is strictly* >>> *prohibited.* >>> >>> >>> >>> *From:* Af [mailto:[email protected]] *On Behalf Of *Travis Johnson >>> via Af >>> *Sent:* Monday, December 22, 2014 4:24 PM >>> *To:* [email protected] >>> *Subject:* Re: [AFMUG] North Korea is down.... >>> >>> >>> >>> The FBI setup a P2P server in North Korea with the Sony movie as the >>> only download. LOL >>> >>> Travis >>> >>> On 12/22/2014 2:08 PM, CBB - Jay Fuller via Af wrote: >>> >>> >>> What did we do? Lol. How did we do it ? >>> >>> Sent from my Verizon Wireless 4G LTE Smartphone >>> >>> >>> >> >> >
