For a network offering webservices, I have had recommendations to blacklist a couple of common incoming DESTINATION ports, such as UDP 53, to combat the increasing load from DDoS. I'm wondering if it makes sense to blacklist attackers SOURCE ports as well. What's the industry practice?
Asked
Active
Viewed 543 times
2 Answers
1
In terms of security, it is better to have a whitelist approach rather than a blacklist. As Neil has clearly pointed out, you should only allow ports for incoming connections in your firewall that corresponds to the services that you are providing and need to accessed from the outside. Hope my answer helps you better understand the situation.
Nick C.
- 109
- 2
-
thanks, but you didn't get my question. Please see comments above. – George Feb 11 '16 at 07:09
-1
I've tested on Wireshark, from an attacker's point, of outgoing source ports and they are random high ports. Both legit web requests and malicious scans originate from random source ports, so I don't think the defender can block based on attackers' source ports.
George
- 739
- 1
- 6
- 22