Re: The worm author finally revealed!

["David Howe" <DaveHowe () cmn sharp-uk co uk>]

at Friday, January 31, 2003 3:55 PM, Paul Schmehl <pauls () utdallas edu>
> Firewall?  DMZ?  What makes you think everybody has those?
Its about $40 for a personal firewall; Windows 2K and above come as
standard with one installed anyhow. Even if this won't give you a DMZ,
it at least gives you local port filtering. Why allow access to anything
other than the required ports?  Its your server and if it gets
compromised its your problem. Use the available tools to expose just the
ports you use and no others (unix admins seem to have no problems with
this concept - why do windows admins seem to go for "do a full install
and give it whatever access it wants"?)

> How 'bout
> an even more esoteric question?  Why do the tier 1 providers (like
> UUNET) allow traffic on port 1434???
because there is no reason to block it.
1434 is not a special port in the standard lists - it can't be, as only
ports under 1024 are reserved by default. Therefore, the 410th port
opened by $random_subscriber will be on 1434 and blocking it would cause
a awkward to trace error. Second, some of their customers will *want*
that port open - you can virtually guarantee it - why make extra work
just to lose customers? Finally, the same argument would be presented as
is used for why ISPs don't filter out 1918 addresses - the second you
start doing *any* filtering on a router, it slows down the router and
therefore increases the spec of router needed to handle that traffic at
line speed. You could make a *much* better case to block martians and
spoofs than to block arbitary services.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html