In the past nearly all UPD:443 traffic was part of an attack. Frequently it is the src port for a reflective attack towards UPD:1900, 123, … pick a reflector port that amplifies well. UDP:80 same. Those are the two most common trigger packet src ports for RA attacks. It is my belief that the bad guys choose that because some (many?) filters are port based only not protocol based. I have no evidence of that (you would have to ask a bad guy... DDoS for hire) but it is common. Don't take my word for it :) https://asert.arbornetworks.com/ddos-attacks-iot-botnets-dont-mean-game/ " As most (not all) UDP reflection/amplification attacks tend to target UDP/80 or UDP/443 in order to confuse defenders who might not notice that the attackers are using UDP instead of TCP (TCP/80 is typically used for non-encrypted Web servers, and TCP/443 for SSL-/TLS-encrypted Web servers), " if (initial_ttl!=255) then (rfc5082_compliant==0) Donald.Smith@xxxxxxxxxxxxxxx ________________________________________ From: OPSEC [opsec-bounces@xxxxxxxx] on behalf of C. M. Heard [heard@xxxxxxxxx] Sent: Thursday, December 06, 2018 12:41 PM To: Jared Mauch Cc: IETF; draft-ietf-opsec-ipv6-eh-filtering.all@xxxxxxxx; OPSEC; TSV-ART; Brian E Carpenter Subject: Re: [OPSEC] game over, EH [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06] On Thu, Dec 6, 2018 at 11:12 AM Jared Mauch wrote: > UDP is filtered or policed by network operators not because they want > it, but as self-defense. Nothing personal. If you are on the end of > a long subsea circuits, you may not be able to use UDP based > protocols. If you are trying to SNMP poll over public internet > because you think you can e2e, you will become sad. No operator wants > to deploy these configurations, they must because of the problems. I do get the need for self-defense. But ... Does this apply to all UDP or just specific UDP-based protocols? What I commented on specifically was UDP/443 (QUIC), something that people are actually trying to deploy. If you block it, is that based on evidence of actual UDP/443 attacks? Mike Heard _______________________________________________ OPSEC mailing list OPSEC@xxxxxxxx https://www.ietf.org/mailman/listinfo/opsec This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
