Writing at
HelpNetSecurity.com, Marc Laliberte, senior security analyst at WatchGuard Technologies, notes that:
These days, DDoS attacks are often mitigated by spreading the load through a content delivery network’s (CDN’s) network. Instead of funneling DDoS traffic all through a single pipe, it is split up and sent through multiple data centers, which can then use specialized equipment to filter the reduced traffic. Some DDoS mitigation services let you keep your normal routing as-is until your services come under attack, at which point your public addresses are re-routed through their network. Cloud-based services aren’t as concerned about UPnP port masking because they have the resources to inspect and throttle larger attacks and simply absorb smaller ones.
The bottom line is, if a DDoS attack can bring down your network by using randomized ports, it can probably do the same without randomizing ports as well. If DDoS mitigation is a concern for your organization, look to cloud-based services that are equipped to handle the ever-increasing throughput. While UPnP Port Masking may fool some older DDoS prevention methods, the industry as a whole has moved on and focusing on this one trick will distract organizations from the actual threat of a modern DDoS attack.