Skip to content

Minimal ruleset

The suggested minimal ruleset blocks some known common vectors for DDoS attacks and permits all other ESP, TCP, UDP, GRE and ICMP traffic.

This is a suggested list and not an exhaustive list. Review your environment and add more rules as necessary.

Rule ID: 1
Description: Single rule that blocks all traffic with UDP source ports which are used in attacks or invalid in Magic Transit ingress.
Match: (udp.srcport in {1900 11211 389 111 19 1194 3702 10001 20800 161 162 137 27005 520 0})
Action: Block

Rule ID: 2
Description: Blocks TCP traffic with source port 0 and common ports used in TCP SYN/ACK reflection attacks.
Match: (tcp.srcport in {21 0 3306})
Action: Block

Rule ID: 3
Description: Blocks HOPOPT (protocol 0) or else blocks if protocol not in {ESP, TCP, UDP, GRE, ICMP}. Note that this is only an example. Permit the relevant protocols for your environment.
Match: (ip.proto eq "hopopt") or (not ip.proto in {"esp" "tcp" "udp" "gre" "icmp"})
Action: Block

Traffic and port types

The information below covers traffic type, how the port is used, and reasons for blocking the port.

TrafficPort useReason to block
UDP source port 0Reserved port. Should not be used by applications.Invalid as a legitimate traffic source port. Commonly used in DDoS attacks.
UDP source port 1900Simple Service Discovery Protocol (SSDP). Allows universal plug and play devices to send and receive information.SSDP DDoS attacks exploit Universal Plug and Play protocols.
UDP source port 11211Memcached. A database caching system designed to speed up websites and networks.Memcached DDoS Attacks.
UDP source port 389Connection-less Lightweight Directory Access Protocol (CLDAP).Used in reflection attacks.
UDP source port 111SunRPCCommon attack vector. Used in reflection attacks.
UDP source port 19CHARGENAmplification attack vector.
UDP source port 1194OpenVPNUnless this is an authorized VPN in your environment, this common VPN should be blocked.
UDP source port 3702Web Services Dynamic Discovery Multicast discovery protocol (WS-Discovery)Vulnerable to exploiting for DDoS attacks.
UDP source port 10001Ubiquiti UniFi discovery protocolUbiquiti devices were exploited and used to conduct DDoS attacks on this port.
UDP source port 20800Call of DutyCommonly used in attacks.
UDP source ports 161 and 162SNMPVulnerable to exploiting for DDoS attacks.
UDP source port 137NetBIOSNetBIOS allows file sharing over networks. If configured improperly, can expose file systems.
UDP source port 27005SRCDSUsed in amplication attacks.
UDP source port 520Routing Information Protocol (RIP)Internal routing protocol. Not required on Internet WAN access.
TCP source port 0Reserved port. Should not be used by applications.Commonly used in DDoS attacks. Invalid as a legitimate traffic source port.
TCP source port 0FTPCommonly used for attacks.
TCP source port 3306MYSQL open source databaseUsed as attack vector in DDoS attacks.

Other common traffic to consider

The list below is a common list of traffic types you should also consider blocking or restricting inbound.

  • SFTP, TFTP
  • SSH, Telnet
  • RDP
  • RCP
  • SMCP
  • NTP
  • MS-SQL
  • HTTP and HTTPS
    • If you only have servers on your Magic Transit prefixes, consider blocking ingress traffic on TCP source ports 80 and 443 from outside. If you have endpoints on your Magic Transit prefixes, you can allow traffic on the source ports but consider creating a disabled rule you can activate to respond to reflection attacks as needed.

If relevant to your environment, consider blocking based on GeoIP, which blocks traffic based on the country or user when an end user’s IP address is registered in the GeoIP database.

If you are interested in participating in the beta for Session Initiation Protocol (SIP) Validation, contact your Implementation Manager.