Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQL Slammer - lessons learned

From: Blue Boar <BlueBoar () thievco com>
Date: Thu, 06 Feb 2003 17:30:12 -0800
Ron DuFresne wrote:

Perhaps I'm wrong and will be corrected, but nslookup and dig and the
various other tools retry after a short timeout period, and do so on
different ports then the first timeout request was made.<?>  If I'm
reading this correctly, then the significance of a dropped packet in a
request is minimal.
Depends on the resolver. I just did some tests from Windows XPSP1 while running Ethereal. If you use the Windows nslookup, it does indeed use a different source port for each request. However, if you try it from the cmd prompt with ping, or from a browser (both of which I presume use the lookup calls from wsock32.dll) then it does not change source ports. In fact, it used the same source port to try both (fake) DNS hosts I configured. It used the same source port half a minute later when I tried again.
The overall point being that if you start blocking arbitrary ports, you break things in interesting ways. 

                                                BB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: