Blocked Traffic
Stargate maintains a default open network, with no manipulation or blocking of customer traffic unless a customer explicitly requests some form of traffic management (e.q. QoS, rate limiting, or firewalling). Certain types or classes of traffic, however, are commonly abused and exploited in DoS or other network attacks.
Stargate evaluates these commonly abused protocols or types of traffic. If after careful examination the traffic is found to be excessively abused and to not serve any legitimate function on the public Internet, the traffic will be blocked globally across the Stargate network. This step is not taken lightly and only considered if the protocol/port is subject to excessive abuse and it is exceedingly clear that it is extremely unlikely that there is any legitimate use of the traffic on the public Internet.
On identifying a new type of traffic to be blocked, Stargate will list the new entry on this page for a minimum of 30 days before starting to block the traffic, in order to ensure customers are given advance notice of the change.
The following is a list of traffic that is currently blocked/discarded on the Stargate network or is scheduled to be blocked/discarded in the near future.
| Port | Transport | Protocol | Direction | Notes | Date listed | Date blocked |
|---|---|---|---|---|---|---|
| 19 | TCP/UDP | CHARGEN | Inbound/Outbound | The Character Generator (CHARGEN) Protocol can be used in testing and debugging as it sends an arbitrary stream of characters to a client. It has a very large amplification factor as well as being vulnerable to reflection / source address spoofing when accessed over UDP, making it heavily abused in reflected DoS attacks. There are no legitimate use cases for exposing a CHARGEN service on the public Internet. | 2016-05-03 | 2016-07-26 |
| 1900 | UDP | SSDP | Inbound/Outbound | The service discovery mechanism for Universal Plug and Play (UPnP), SSDP has legitimate uses but should be accessed via multicast addresses and limited to local networks. Use of SSDP does not make sense over the public Internet. It has a high amplification factor and is susceptible to reflection / source address spoofing, and poor SSDP implementations that listen on WAN IP addresses have been heavily abused in reflected DoS attacks. | 2016-05-03 | 2016-07-26 |
Page last updated 2016-07-26.