[Full-Disclosure] SQL Slammer - lessons learned
Niels Bakker
niels=netsys at bakker.net
Wed Feb 5 18:32:20 GMT 2003
> On Wed, 2003-02-05 at 06:55, John.Airey at rnib.org.uk wrote:
>> Sure, you can block 1434 udp inbound, but what if your DNS server (that
>> doesn't run SQL server) picks that port randomly for incoming data from
>> other DNS servers? You'll get failures when you shouldn't.
* pauls at utdallas.edu (Paul Schmehl) [Wed 05 Feb 2003, 16:57 CET]:
> No, you wouldn't, because DNS servers talk on port 53, and they wouldn't
> negotiate port 1434 because it's reserved for SQL.
Please learn how the Internet works. BIND8 and up don't use 53 as
source for outgoing queries anymore by default; you can override this in
named.conf with
---
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
---
So, given (1434 - 1023 - 1) other applications that use UDP active, or
that many outstanding queries, BIND may very well end up using UDP port
1434 for a query packet.
There is nothing in any application that keeps it from using 1434/udp,
except it being in use already by another application. Apart from the
ludicrous idea that UDP ports are `negotiated' in any way.
-- Niels.
--
Full-Disclosure is hosted and sponsored by Secunia.