[Dshield] sql ports

Stephane Grobety security at admin.fulgan.com
Mon Jan 27 08:33:45 GMT 2003


EBD> You seem to think miscreants are stupid and uncreative.  Bear in
EBD> mind that these people study a vulnerability, then write exploits
EBD> in assembly language.  I'd say that's far from stupid and
EBD> uncreative.

Perfectly true... It's better to discuss a flaw and have everyone know
about it than let a "selected few" be the only one knowing about it...
Howevere [...]

EBD> No, it's better to have information "out in the open".  I've seen
EBD> many firewalls blindly trust traffic from UDP/53 or TCP/20 -- a
EBD> serious mistake.

... no one in his right mind would do such filtering. I seriously
doubt that anyone opening port 53/UDP for DNS lookup would be dumb
enough to make the filter work on trhe source port only. For memory,
only massively outdated versions of BIND use that dumb convention of
only allowing DNS traffic coming FROM port 53 (and these versions are
all vulnerable to a vast array of attacks). And even if someone wrote
such a filter, he'd have to know about the the reason why it is there
and filter on port 53 in AND out.

My conclusion ? It wouldn't have mattered what port the worm picked to
replicate. People that are wide open would still be wide open, people
that are protected would still be protected.

Good luck,
Stephane



More information about the list mailing list