Re: [Full-Disclosure] SQL Slammer - lessons learned
From: David Howe (DaveHowe@cmn.sharp-uk.co.uk)
Date: 02/03/03
- Previous message: David Howe: "Re: [Full-Disclosure] The worm author finally revealed!"
- In reply to: John.Airey@rnib.org.uk: "[Full-Disclosure] SQL Slammer - lessons learned"
- Next in thread: David Howe: "Re: [Full-Disclosure] SQL Slammer - lessons learned"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Howe" <DaveHowe@cmn.sharp-uk.co.uk> To: "Email List: Full Disclosure" <full-disclosure@lists.netsys.com> Date: Mon, 3 Feb 2003 12:40:12 -0000
All good points - but missing the essential point that, even if the
internet ports were redivided into "server" at (say) 1-10240 and "user"
at 10241+ (like the current division at 1024) this worm would *still*
have spread like wildfire. the service exploited is a legitimate
service, so would be expected to run on a server port. Filtering would
allow you to block certain services at the expense of blocking anyone
being able to run those servers legitimately ( which may be borderline
acceptable to filter dialup/home users and protect all those insecure
MSDE owners out there) but would still not have slowed the infection of
legitimate servers; The only place to close ports to inbound traffic is
at the server running that service in the first place.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Next message: rm-rf@hushmail.com: "Re: [Full-Disclosure] Lance Spitzner bustin some rhymes and popping some caps."
- Previous message: David Howe: "Re: [Full-Disclosure] The worm author finally revealed!"
- In reply to: John.Airey@rnib.org.uk: "[Full-Disclosure] SQL Slammer - lessons learned"
- Next in thread: David Howe: "Re: [Full-Disclosure] SQL Slammer - lessons learned"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
