SSDP upnp attack on rdweb/remoteapp rd-gateway ts-gateway ?
Posted on 2014-11-22
Hi, we are starting to get this messages from our ISP. All our cusotmers that have open 443 for RD Gateway are getting it to.
Kategori : amplification-ssdp
Tidspunkt (UTC): 2014-11-20 03:57:20
IP : x.x.x.x
Port : 443
Mottaker-host : "
We and all our customers have Sonicwall as firewall, its TZ100, TZ110, TZ200, NSA200, NSA240 etc, all models off Sonicwall. All users that got this message has Windows 2008, 2008 R2, 2012, 2012 R2 with terminalserver and the TS-Gateway/RD-Gateway and RDWEB (RemoteAPP). Its only port 443 that is open in the firewalls, its forwarded to the TS-Gateway/RD-Gateway.
The strange thing is that all of ur customers started to get this message from ther ISP providers today. The ISP's got the message from norcert that is Norwegian version of NSA.