Re: Incoming SSDP UDP 1900 filtering
I'm working with Level3 on a similar problem. They filter both UDP and TCP port 1900 on our peer to them. This is blocking all connections that randomly use ephemeral tcp port 1900. They are refusing to remove the tcp port 1900 filter without dispensation from the DDoS security gods. I understand blocking UDP 1900, what is the purpose of Level3 filtering tcp port 1900? On 3/25/19, 12:44 PM, "NANOG on behalf of Saku Ytti" <nanog-bounces@nanog.org on behalf of saku@ytti.fi> wrote: Hey Tom, > If your edge ingress ACLs are not 100% in sync all the time, you will inevitably have Really Weird Stuff happen that will end up taking forever to diagnose. You may at some cases have hard to troubleshoot issues, which is true for everything, even when perfectly configured, because software is not perfect. However choosing to do iACL is still something many networks choose to do, because the upside is worth the complexity to them. > Packet filtering is more computationally taxing than just routing is. Your edge equipment is likely going to be built for maximum routing efficiency. Trying to bite off too much filtering there increases your risk of legit traffic being tossed on the floor. Depends on implementation, on some implementations it is zero-cost on some it is not. On most implementations it's very cheap, particularly compared to say uRPF. It seems your position is 'i don't know how ACL works on my platforms and i don't trust myself to write ACL, so i should not do them', which is perfectly valid position under those constrains, but other networks have other constrains under which it is no longer valid proposal to omit doing iACL. I would encourage networks to continue deploying iACL and consider it BCP. iACL removes attack surface and protects you from host of known and unknown SIRT issues. -- ++ytti
On Apr 11, 2019, at 10:08, Patrick McEvilly <patrick_mcevilly@harvard.edu> wrote:
They are refusing to remove the tcp port 1900 filter without dispensation from the DDoS security gods. I understand blocking UDP 1900, what is the purpose of Level3 filtering tcp port 1900?
Filtering Exploitable Ports and Minimizing Risk from the Internet and from Your Customers - What are you doing to prepare for the next “scanning malware” and “Internet Worm?” http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-...
On Thu, Apr 11, 2019 at 12:52 PM Barry Raveendran Greene <bgreene@senki.org> wrote:
On Apr 11, 2019, at 10:08, Patrick McEvilly <patrick_mcevilly@harvard.edu> wrote:
They are refusing to remove the tcp port 1900 filter without dispensation from the DDoS security gods. I understand blocking UDP 1900, what is the purpose of Level3 filtering tcp port 1900?
http://www.senki.org/operators-security-toolkit/filtering-exploitable-ports-... Which calls out UDP port 1900, not TCP port 1900. I would ask any who don't know the difference to stay away from their router's ACLs. Blocking TCP 1900 except as a destination in the initial SYN packet breaks TCP. Do that and you DO get customer complaints. Like Patrick's. Regards. Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
I'm working with Level3 on a similar problem. They filter both UDP and TCP port 1900 on our peer to them. This is blocking all connections that randomly use ephemeral tcp port 1900.
They are refusing to remove the tcp port 1900 filter without dispensation from the DDoS security gods. I understand blocking UDP 1900, what is the
On Thu, Apr 11, 2019 at 7:15 AM Patrick McEvilly < patrick_mcevilly@harvard.edu> wrote: purpose of Level3 filtering tcp port 1900? Hi Patrick, I ran in to this years ago with the NIPR to Internet gateway at Pearl. They were filtering about 100 TCP ports in the 1024 to 5000 range because they were commonly used for malware C&C. They insisted they were only blocking destination ports... Didn't quite get the concept that the source port on a packet traveling one way becomes the destination port on the return packet, or that 1024 to 5000 were common ephemeral source ports for both Windows and a number of firewall products. The idea of filtering only on syn-not-ack packets also failed to make contact in their craniums. Good luck with Level3. The folks at Pearl still hadn't figured it out years later when I changed jobs. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
On Thursday, 11 April, 2019 08:08, Patrick McEvilly <patrick_mcevilly@harvard.edu> wrote:
I'm working with Level3 on a similar problem. They filter both UDP and TCP port 1900 on our peer to them. This is blocking all connections that randomly use ephemeral tcp port 1900.
They are refusing to remove the tcp port 1900 filter without dispensation from the DDoS security gods. I understand blocking UDP 1900, what is the purpose of Level3 filtering tcp port 1900?
They are both port 1900 (that is, they have a 1900 in them -- they also probably block TCP/UDP 19000 bidirectionally as well, since that has a "1900" in it -- they likely also tried to block TCP/UDP 190000 as well, but for some reason even through that also has "1900" in it the firewall would not accept it as a 16-bit port number, so they submitted a bug report to the vendor and closed the ticket). In short, never ascribe to malice that which can be oh so easily and correctly attributed to ignorance, stupidity (incurable ignorance) and incompetence. Besides, the "Internet" package that you purchased did not include that channel. If you wish to receive channels 1900 and 19000 they are available as an add-on feature pack. --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
participants (4)
-
Barry Raveendran Greene
-
Keith Medcalf
-
Patrick McEvilly
-
William Herrin