[unisog] Lifting backbone port 1434/udp blocks

Glenn Forbes Fleming Larratt glratt at rice.edu
Tue Jan 28 19:28:13 GMT 2003


How does 'forever' grab you?

We made the decision long ago (January 2001, after some initial TCP
1433 portscans) that MS-SQL servers were campus-only resources, and
there was no justification for allowing unfettered access thereto to
the entire Internet. Lucky for us...because SQLSnake hit in May.

We made the decision more recently (November 28th, after some initial
UDP 1434 portscans) that if we were going to block MS-SQL, we should
do it across the board, and block TCP and UDP 1433 and 1434. Lucky for
us, again...as this past weekend shows.

Regardless of worms or not, it seems pretty straightforward to me
(although I don't speak for Rice in this or any other particular) that
the necessity for SQL database access across an Internet border is one
that should be accommodated via VPN tunneling or other secure means,
rather than being allowed by default to all and sundry.

Now, http... *sigh*

In answer to the original query in the thread - I'm not aware of any
blocks put in place by our upstream commodity provider nor our
Internet2 uplink. I didn't ask, however, as our own filtering allowed
us to weather the storm.

	-g

On Tue, 28 Jan 2003 Phil.Rodrigues at uconn.edu wrote:

> Date: Tue, 28 Jan 2003 12:38:43 -0500
> From: Phil.Rodrigues at uconn.edu
> To: unisog at sans.org
> Subject: Re: [unisog] Lifting backbone port 1434/udp blocks
>
> On the flip side of that - how long do folks expect to continue blocking
> of UDP 1434 at the border?
>
> We first blocked TCP and UDP 1433 and 1434 in and out on Saturday morning,
> but this morning changed that to just UDP 1434 in and out.  We may allow
> outbound traffic soon, so I can more easily see those hosts that are still
> infected but not showing up on our radar.
>
> Our first level-ISP is the state educational network, which is blocking
> the same as us (at our recommendation).  Our first commercial provider,
> Qwest, did not block any of this traffic.
>
> Phil


				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glratt at rice.edu



More information about the unisog mailing list