Aspera transfers use one TCP port for session initialization and control, and one UDP port for data transfer. The TCP port is usually either 22 (default port for SSH) or 33001, and the UDP port is by default 33001.
Control: TCP Port 22 (SSH)
Data: UDP Port 33001-33020
Both connections are initiated by the client. The UDP is negotiated between the server and client. Unix servers are are to run parrallel connections over the single port 33001. Windows operating systems require that unique ports for each transfer - a range of ports from 33001-33020 should be opened for multiple connections to the server.
Risks:
======
1) Firewalls can interpret the number of UDP transactions (2000+ per second) as a denial of server attack. Security features such as Screens available on the Juniper SRX will need to be tuned to allow the high number of transactions. The UDP flood event is identified in the Junos logs as:
RT_IDS: RT_SCREEN_UDP: UDP flood! source: 1.1.1.1:33001, destination: 2.2.2.2:8883, zone name: Untrust, interface name: reth3.0
This has the potential of allowing the sending of a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns ICMP Port Unreachable messages. The target slows down because it is busy processing the UDP packets, and at this point, there will be little or no network bandwidth left (Ref: Hack blog).
2) The applications can also pose a considerable risk to enterprise network bandwidth, potentially impacting business-critical applications. Since their data transfer rate is adapted to the available bandwidth on the end-to-end path, enterprises can protect their critical network segments by using appropriate bandwidth controls. On the Palo Alto Networks Next Generation Firewalls, the App-ID technology identifies all traffic from this application as FASP. Security and QoS policies can then be configured, based on the application, to deny, allow, or rate-limit the traffic according to defined bandwidth limits. Whatever application and bandwidth usage policies businesses come up with, Network and Security administrators will need to equip themselves with the right tools to enforce them (Ref: Palo Alto Networks).
