[Dshield] sql ports

Johannes Ullrich jullrich at euclidian.com
Sun Jan 26 16:54:09 GMT 2003


yes. don't give anybody any ideas ;-). Picking out the worm traffic and
filtering it would be a bit harder as well.

Right now, most major ISPs block port 1434 UDP. However, the routers they
use to block the traffic are not stateful. So as it stands right now,
some 'legit' UDP traffic (e.g. DNS) will get rejected once in a while.
They may be able to prevent this by checking the source port, as long
as the worm sticks to high source ports.

However, I think one point about this worm is that it is so effective
because it is simple and small. Any more code would have made it less
effective. For example, binding to port 53 may not have worked on some
machines or using a fancier random IP generator or fancier payload would
have limited the packet rate. But this is just idle speculation.



On Sun, 26 Jan 2003 11:21:56 +0000 (GMT)
hobbit at avian.org (*Hobbit*) wrote:

> It just occurred to me that if the worm had used *source* port 53, it
> might get into a lot more places.  Shiver.
> 
> If M$ hasn't thought about rejecting such behavior within the
> application, they should.
> 
> _H*
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 


-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org



More information about the list mailing list