Re: SQL Slammer - lessons learned

[Niels Bakker <niels=netsys () bakker net>]

> On Wed, 2003-02-05 at 06:55, John.Airey () rnib org uk wrote:
> > Sure, you can block 1434 udp inbound, but what if your DNS server (that
> > doesn't run SQL server) picks that port randomly for incoming data from
> > other DNS servers? You'll get failures when you shouldn't.

* pauls () utdallas edu (Paul Schmehl) [Wed 05 Feb 2003, 16:57 CET]:
> No, you wouldn't, because DNS servers talk on port 53, and they wouldn't
> negotiate port 1434 because it's reserved for SQL.

Please learn how the Internet works.  BIND8 and up don't use 53 as
source for outgoing queries anymore by default; you can override this in
named.conf with

---
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
---

So, given (1434 - 1023 - 1) other applications that use UDP active, or
that many outstanding queries, BIND may very well end up using UDP port
1434 for a query packet.

There is nothing in any application that keeps it from using 1434/udp,
except it being in use already by another application.  Apart from the
ludicrous idea that UDP ports are `negotiated' in any way.


        -- Niels.

-- 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html