Why you shouldn't sweat UPnP port masking in the data center: Perspective

Writing at HelpNetSecurity.com, Marc Laliberte, senior security analyst at WatchGuard Technologies, notes that: These days, DDoS attacks are often mitigated by spreading the load through a content delivery network’s (CDN’s) network. Instead of funneling DDoS traffic all through a single pipe, it is split up and sent through multiple data centers, which can then use specialized equipment to filter the reduced traffic. Some DDoS mitigation services let you keep your normal routing as-is until your services come under attack, at which point your public addresses are re-routed through their network. Cloud-based services aren’t as concerned about UPnP port masking because they have the resources to inspect and throttle larger attacks and simply absorb smaller ones.   The bottom line is, if a DDoS attack can bring down your network by using randomized ports, it can probably do the same without randomizing ports as well. If DDoS mitigation is a concern for your organization, look to cloud-based services that are equipped to handle the ever-increasing throughput. While UPnP Port Masking may fool some older DDoS prevention methods, the industry as a whole has moved on and focusing on this one trick will distract organizations from the actual threat of a modern DDoS attack.

Nov 30th, 2018
Content Dam Cim En Articles Pt 2018 11 Why Don T Need To Sweat Over Upnp Port Masking Perspective Leftcolumn Article Thumbnailimage File
www.helpnetsecurity.com

Writing at HelpNetSecurity.com, Marc Laliberte, senior security analyst at WatchGuard Technologies, observes that:

These days, DDoS attacks are often mitigated by spreading the load through a content delivery network’s (CDN’s) network. Instead of funneling DDoS traffic all through a single pipe, it is split up and sent through multiple data centers, which can then use specialized equipment to filter the reduced traffic. Some DDoS mitigation services let you keep your normal routing as-is until your services come under attack, at which point your public addresses are re-routed through their network. Cloud-based services aren’t as concerned about UPnP port masking because they have the resources to inspect and throttle larger attacks and simply absorb smaller ones.

The bottom line is, if a DDoS attack can bring down your network by using randomized ports, it can probably do the same without randomizing ports as well. If DDoS mitigation is a concern for your organization, look to cloud-based services that are equipped to handle the ever-increasing throughput. While UPnP Port Masking may fool some older DDoS prevention methods, the industry as a whole has moved on and focusing on this one trick will distract organizations from the actual threat of a modern DDoS attack.

More in Data Center