Full Disclosure mailing list archives

Re: SQL Slammer - lessons learned

From: "David Howe" <DaveHowe () cmn sharp-uk co uk>
Date: Mon, 3 Feb 2003 12:40:12 -0000

All good points - but missing the essential point that, even if the
internet ports were redivided into "server" at (say) 1-10240 and "user"
at 10241+ (like the current division at 1024) this worm would *still*
have spread like wildfire. the service exploited is a legitimate
service, so would be expected to run on a server port. Filtering would
allow you to block certain services at the expense of blocking anyone
being able to run those servers legitimately ( which may be borderline
acceptable to filter dialup/home users and protect all those insecure
MSDE owners out there) but would still not have slowed the infection of
legitimate servers; The only place to close ports to inbound traffic is
at the server running that service in the first place.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

SQL Slammer - lessons learned John . Airey (Feb 03)
- Re: SQL Slammer - lessons learned Henrik Lund Kramshøj (Feb 03)
- Re: SQL Slammer - lessons learned David Howe (Feb 03)
- <Possible follow-ups>
- Re: SQL Slammer - lessons learned David Howe (Feb 03)
  - AOL refuses to help AIM users ATD (Feb 03)
    - Message not available
    - Re: AOL refuses to help AIM users ATD (Feb 03)
    - Re: AOL refuses to help AIM users Rick Updegrove (Feb 03)
    - Re: AOL refuses to help AIM users ATD (Feb 03)
    - Re: AOL refuses to help AIM users Berend-Jan Wever (Feb 04)
- RE: SQL Slammer - lessons learned John . Airey (Feb 05)
  - RE: SQL Slammer - lessons learned Paul Schmehl (Feb 05)
    - Re: SQL Slammer - lessons learned Helmut Springer (Feb 05)
    - Re: SQL Slammer - lessons learned David LaPorte (Feb 05)

(Thread continues...)