In this lecture, we will be talking about the remaining significant protocols in the application layer. The reason why I grouped them together is basically the methodology to detect them and to mitigate them are quite similar. They just use different ports. And apart from that the attack vector is pretty much the same. In other words, these are all volumetric attacks. Let's start with the NTP flood detection and mitigation.

If you don't know NTP is a protocol, which is used to synchronize the time between the center and your network. This protocol works on port 123. So basically, the attacks on that protocol will always be carried out to your destination port 1231 way to quickly determine an attack is checking the source port of the incoming traffic. If the source port is not 123 you can just drop it right away with an ACL. You know reverts, that is almost certainly an attack as this is an anomaly. However, if the source port is 123, I don't recommend you to block it with an ACL because it would also block the legitimate traffic, as this is a legit protocol pattern.

In that case, I advise you to monitor the volume of the traffic coming from the source. And if it, for example, exceeds a certain threshold that you set, let's block it right away, even if there are no anomalies in the traffic, and our next protocol is a charging. Charging is an old protocol for diagnostic purposes, but it's still a very popular attack vector even used today. And mitigation is actually quite straightforward. Just plug Port 19 for inbound traffic. The next one is the RTP float RTP is a protocol which is freakin used in sip, which is actually a voice over IP protocol.

For that one, you need to monitor, Port 5060 and 5061. And if you don't use voice over IP, you can even block the whole traffic coming to these ports. However, if you run such a voice over IP to mitigation part might be not straightforward. In such a case, what you need to do is basically check for top talkers. By monitoring constantly the traffic and during an attack. You can block these top talkers if necessary.

The last one is ssdp. In other words, UPnP flood. Again, for this one, the mitigation is straightforward. Just plug Port 1900 for inbound traffic. And if you haven't heard of it, this is a protocol used for the discovery of plug and play devices like discovering the smart TVs in your home network.