RE: [Full-Disclosure] SQL Slammer - lessons learned

From: John.Airey@rnib.org.uk
Date: 02/06/03

  • Next message: bugzilla@redhat.com: "[Full-Disclosure] [RHSA-2003:037-09] Updated Xpdf packages fix security vulnerability" 
    From: John.Airey@rnib.org.uk
To: nicob@nicob.net, full-disclosure@lists.netsys.com
Date: Thu, 6 Feb 2003 12:32:32 -0000

    > -----Original Message-----
    > From: Nicob [mailto:nicob@nicob.net]
    > Sent: 06 February 2003 10:42
    > To: full-disclosure@lists.netsys.com
    > Subject: RE: [Full-Disclosure] SQL Slammer - lessons learned
    >
    >
    > On Wed, 2003-02-05 at 16:38, Paul Schmehl wrote:
    >
    > > Can you think of a legitimate reason why ISPs should allow ports
    > > 135-139/TCP/UDP to be open to the Internet? How about port
    > 445/UDP?
    >
    > IMO, it's not to the ISP to choose wich ports and services
    > should I use.
    > I pay it (sort of) for a pipe running from my home-computer
    > to the wild
    > Internet and *that's all*.
    >
    > I don't want some "services" like transparent proxies, AV scanning at
    > the mail relay or port filtering. I just want a pipe ...
    >
    > > What about the ISPs whose policy it is to not allow
    > > customers to run servers?
    >
    > That's another problem.
    >
    > If I ask for a pipe, I want a pipe.
    > If I ask for a discount ADSL access with limited amount of
    > trafic and no
    > allowed hosting (HTTP, FTP, SMTP, SSH, ...), the ISP can restrict the
    > inbound ports.
    >
    > If the next big vuln/worm is a SSH one, would you agree with an ISP
    > blocking inbound TCP/22 and forbidding to users to connect to their
    > home-LAN to check mails, get some files, start the
    > coffe-maker or manage
    > downloads ?
    >
    >
    Not at all, especially when that would stop me tunnelling VNC through SSH,
    a lot cheaper than PC/Anywhere!

    We've drifted from my original point, that ports used dynamically by IP
    stacks should be distinct from service ports, so that ISPs or administrator
    CAN block them without impacting the end user if they so wish. At the minute
    we need stateful filtering to rescue us from the port allocation mess we are
    in. SQL Slammer was only as successful as it was because stateful filtering
    isn't widespread, ie this one got past many administrators of large networks
    who are already careful about which services are publicly available.

    Given the choice between controlling traffic at the border or keeping
    thousands of "non-public" machines up to date, I know which I'd choose.

    -
    John Airey, BSc (Jt Hons), CNA, RHCE
    Internet systems support officer, ITCSD, Royal National Institute of the
    Blind,
    Bakewell Road, Peterborough PE2 6XU,
    Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

    Am I the only person in the UK who finds it strange that our Prime Minister
    complains of Human Rights abuses around the world, yet wishes to opt out of
    the European Convention of Human Rights?

    -

    NOTICE: The information contained in this email and any attachments is
    confidential and may be legally privileged. If you are not the
    intended recipient you are hereby notified that you must not use,
    disclose, distribute, copy, print or rely on this email's content. If
    you are not the intended recipient, please notify the sender
    immediately and then delete the email and any attachments from your
    system.

    RNIB has made strenuous efforts to ensure that emails and any
    attachments generated by its staff are free from viruses. However, it
    cannot accept any responsibility for any viruses which are
    transmitted. We therefore recommend you scan all attachments.

    Please note that the statements and views expressed in this email
    and any attachments are those of the author and do not necessarily
    represent those of RNIB.

    RNIB Registered Charity Number: 226227

    Website: http://www.rnib.org.uk
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    Relevant Pages

    • RE: [Full-Disclosure] SQL Slammer - lessons learned
      ... it's not to the ISP to choose wich ports and services should I use. ... I think you're confused about who owns the pipe. ... The ISPs can do ... business with them or take your business elsewhere. ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Should ISPs be blocking open ports for their customers?
      ... is it common practice that ISPs are inspecting the TCP headers? ... >ports will isolate infected machines and slow the spread of malicious, ... >these worms do have legitimate uses. ...
      (Full-Disclosure)
    • Re: ISP Blocking ports
      ... >> My ISP blocks certain ports at the cable modem level. ... So, instead of signing petitions, upgrade your connection to one that _does_ ... If you don't like your current ISPs prices for that, ... or get yourself external hosting that supports your own vanity domain. ...
      (comp.unix.bsd.openbsd.misc)
    • Re: Outpost blocks everything
      ... >> also use them as DNS servers), and maybe a few other ports (25 for ... >> these ports are open because the server is doing multiple jobs. ... > But many ISPs are smart enough to restrict access to those ports to IP ... developers there running test web servers on their own PCs and them being ...
      (comp.security.firewalls)
    • RE: Outbound Port scans, ports 3800+
      ... >ports 3800 and higher. ... >CONFIDENTIALITY NOTICE: ... If the reader of this message is not the intended recipient, ... send/receive up to 3MB attachments. ...
      (Security-Basics)
    • Quantcast