On Thu, 12 May 2005 04:15:07 -1000 Brian Russo <brian@entropy.net> wrote:
Perhaps a better question is:
Is there now justification for allowing transit for ms-sql slammer ports?
I think there always has been some justification. Here is a very small sample of real traffic that I can assure is not Slammer traffic, but it is being filtered nonetheless (IP addresses removed): May 12 09:15:30.598 CDT[...] denied udp removed(53) -> removed(1434), 1 packet May 12 09:26:30.210 CDT[...] denied tcp removed(80) -> removed(1434), 1 packet May 12 09:32:23.122 CDT[...] denied tcp removed(80) -> removed(1434), 1 packet May 12 09:42:38.558 CDT[...] denied udp removed(123) -> removed(123), 1 packet May 12 10:12:50.422 CDT[...] denied udp removed(53) -> removed(1434), 1 packet Some have suggested adjusting filters so that the src port is > 1023, which may be somewhat less harmful, but then others may object to this being an unacceptable hole. You can design networks, educate people, build tools, and write secure software to deal with all of the security problems, which will be very expensive and slow or you can count down from 2^320 til you approach 0, perhaps in large jumps, which is the way of the IP/TCP packet filters. That might be just as slow and expensive, but unfortunately results in complete dismantling of the system. Perhaps there are better alternatives, but I think they probably fall in between those two. John