On Wed, Jul 14, 2021 at 8:21 PM Mark Nottingham <[email protected]> wrote:
> [ bringing this up on both lists because it's not yet clear what the right > scope is ] > > It's not uncommon for servers to block certain UDP source ports to avoid > being overwhelmed by certain reflection attacks. In particular: > > * 53 - DNS > * 123 - NTP > * 1900 - SSDP > * 5353 - mDNS > * 11211 - memcached > > ... among other candidates. > > See, eg., <https://blog.cloudflare.com/reflections-on-reflections/>. This > isn't done to avoid protocol vulnerabilities as such -- it's to avoid > volumetric attacks (usually DDoS). > > Closely related, the Fetch spec's "bad port" list is fairly TCP-specific and could likely use additions for some of these. I opened https://github.com/whatwg/fetch/issues/1268 to track that. Erik
