Port 0/TCP: Port 0 is a reserved port. This port should not be used for any applications. Blocking protects our customers from potentially harmful types of network abuses.
Port 19/UDP: Port 19 Chargen is a protocol designed to generate a stream of characters for debugging and measurement. Because more recent tools have been developed for measurement and debugging purposes, blocking protects against use of this port in Reflective DDOS attacks.
Port 25/TCP: Simple Mail Transport Protocol (SMTP) is used to send email. Port 25/TCP may be blocked from customers with dynamically-assigned Internet Protocol (IP) addresses to protect systems from becoming a mail relay for SPAM. Customers can subscribe to AT&T SMTP services if they need to host an SMTP server on the internet.
Port 68/UDP: Port 68 is used to obtain dynamic IP address information from a dynamic host configuration protocol (DHCP) server. Port 68 may be blocked to eliminate the risk of exposure to a rogue DHCP server.
Port 123/UDP: Network Time Protocol (NTP) is used to accurately synchronize computer time of day to a reference time server. Some aspects of Port 123 may be limited to minimize malicious use. Poorly-configured NTP servers can be used for Reflective DDOS attacks, and some devices provide NTP service inadvertently, which exacerbates the port’s malicious use.
Port 135/TCP: NetBIOS is a network file sharing protocol and is also known as Common Internet File System or LanManager. Blocking protects customers from exposing files unintentionally, worms, and viruses.
Port 139/TCP: NetBIOS is a network file sharing protocol and is also known as Common Internet File System or LanManager. Blocking protects customers from exposing critical system files unintentionally, which could give system access to a malicious actor.
Port 445/TCP: NetBIOS is a network file sharing protocol and is also known as Common Internet File System or LanManager. Blocking mitigates a potential threat to certain operating systems. Similar to our blocking of Ports 135 and 139, blocking Port 445 protects customers from exposing files unintentionally, worms, and viruses.
Port 520/UDP: RIPv1 - UDP port 520 is used by the Routing Information Protocol (RIP) to share network routing information. RIPv1 was designed to support route information sharing on small classful (class A, B, C, D) networks and has limited usefulness in today’s classless networks. Port 520 has been used by malicious actors to generate Reflective DDOS attacks.
Port 1900/UDP: Universal Plug and Play (UPnP) is a protocol standard designed to allow device discovery over a local network. Some home routers may expose this port to the internet, which could allow attackers to defeat the security attributes of Network Address Translation (NAT) and allow attackers to use the port for Reflective DDOS attacks.
Port 3479/TCP: Twrpc is a protocol used for remote management of end user devices. Blocking this port protects customers from improper use of the port, which can cause end user device instability.
Port 7547/TCP: CPE WAN Management Protocol (CWMP) is a protocol used for remote management of end user devices. Blocking this port protects customers from improper use of the port, which can cause end user device instability.
Port 49152/TCP, 49955/TCP, 50001/TCP, 51001-51003/TCP, 51010-51011/TCP, 51020/TCP: These ports are numbered from the dynamic/private ephemeral port range. Their use varies according to implementation and may include end-user device management. Blocking these ports protects customers from malicious activity, which may include data exposure or attacks against the end user devices.
Port 61001/TCP: Internet Protocol Detail Record (IPDR) is a specification used to collect information from end user devices including device configuration data. Blocking TCP port 61001 prevents certain types of malicious activity including data exposure and end user device attacks.
Does AT&T restrict the types of devices that customers can use with its mass market broadband internet access services?
AT&T makes available to its customers a variety of network interface equipment for use with the broadband internet access services we deliver to homes and businesses, many of which are Wi-Fi enabled. We also make available a variety of additional tools, equipment and services to assist our customers in configuring the local network access in their home or business to meet their particular needs. This allows AT&T customers to use devices of their choice (PCs, Smartphones, Tablets, Smart TVs, etc.) to connect to the broadband internet access services at their home or business via Wi-Fi, via the existing wiring at their premises or via such other compatible local networking technology as they may choose to select.
Customers of our mass market mobile services may attach 3G-, 4G-, and 5G-capable devices of their choice to our mobile broadband internet access services, so long as the devices are FCC-approved, compatible with the technology used in our mobile network, and do not harm our network or other users. AT&T has retired its 2G network and we will not activate 2G-only capable devices. Our wired and Wi-Fi networks require compatible Ethernet or Wi-Fi capable devices. AT&T generally does not support IEEE2 802.11b or earlier Wi-Fi protocols. Devices must also be used in a manner consistent with our terms of service and Acceptable Use Policy. For example, some data plans are designated for use with only a basic phone or smartphone, in which case customers may not use their device to provide an internet access connection to other equipment/devices (such as computers, netbooks, tablets, other phones, USB modems, network routers, media players, gaming consoles, or other data-capable devices) by tethering, by SIM card transfer, or any other means. However, customers wishing to use their service with a mobile hotspot/tethering device may purchase a data plan that already includes such use.
What tools does AT&T provide and what practices has AT&T adopted to help customers manage and secure local or in-home networks?
AT&T provides customers using its mass market wired and fixed wireless broadband internet access services tools to help them configure, manage, and secure their local or in-home networks. These tools provide customers information regarding the status of their internet service, the devices connected to their local or in-home network, and the performance and security of that network. They also provide recommendations on how to optimize and improve customers’ local or in-home network performance, such as by identifying Wi-Fi weak spots. The tools also enable customers to identify, understand, and manage potential problems and security threats that could affect their local or in-home network, and the devices connected to that network.
Data Collected to Support Local or In-home Network Management. AT&T’s local or in-home network management tools rely on data collected through the internet gateway device about the operation and performance of the local or in-home network, the devices connected to the network, and the traffic transiting the gateway. This data consists of non-personalized and/or anonymized technical and performance information and is used to help identify and alert customers to potential problems with or security threats to their local or in-home network. AT&T also uses this data to provide customers recommendations on how they can mitigate potential problems, better optimize their in-home network or respond to potential security threats.
Customers can access AT&T’s local or in-home network management tools through a variety of app and web-based portals, many of which allow customers to more easily control and/or personalize aspects of the internet gateway device. For example, through AT&T’s Smart Home Manager app, available as a download to Android or iOS devices or on the Web, customers can directly manage and personalize the in-home network name (SSID) and security settings for their main and guest Wi-Fi networks. For our residential fixed internet customers, AT&T also stores key customer home network settings so that, in the event of an internet gateway device failure or the need to reset and/or recover the internet gateway device, we can restore the customer’s settings.
Home Wi-Fi Optimization. On internet gateway devices with more than one Wi-Fi radio, AT&T’s Smart Wi-Fi includes band steering software that helps to optimize Wi-Fi connectivity between the internet gateway device and Wi-Fi enabled devices within the home. When AT&T detects that a customer’s Wi-Fi settings on their internet gateway device are sub-optimal, we send recommendations to the customer on how to better optimize the in-home network.
Some of our latest internet gateway devices include an additional 5GHz Wi-Fi radio that is primarily managed and configured by AT&T. In its default configuration, this additional Wi-Fi radio provides load sharing capability designed to offer Wi-Fi connected devices a greater share of airtime and faster data throughput. When a customer adds an AT&T Smart Wi-Fi Extender to their home network, Wi-Fi traffic is backhauled between the extender and the internet gateway device primarily using the 5Ghz band. For devices with the additional 5Ghz radio, AT&T Smart Wi-Fi is designed to utilize the second 5Ghz radio as a managed backhaul to connect and carry traffic between the AT&T Smart Wi-Fi Extender(s) and the internet gateway device.
AT&T Smart Wi-Fi also supports a solution to simplify the initial Wi-Fi authentication and setup on AT&T managed devices, such as the AT&T Smart Wi-Fi Extender and the AT&T TV device. When activated for the first time, AT&T devices which support this simplified Wi-Fi setup process will automatically connect via the AT&T managed Wi-Fi radio to authenticate with a provisioning server to seamlessly and securely receive the customer’s Wi-Fi credentials. This automated authentication and provisioning service is only able to access the provisioning server, isolated from the customers in-home network, and provides this capability only to AT&T managed devices specifically designed to support the automatic authentication process. If the AT&T managed device is not able to reach the provisioning server, customers will still be able to input their credentials manually using the applicable standard user interfaces.