North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blocking port udp/tcp 1433/1434

  • From: Jeff Kell
  • Date: Thu May 12 16:28:36 2005
  • Openpgp: url=http://www.utc.edu/Staff/Jeff-Kell/pgpkey.txt

[email protected] wrote:
> On Thu, 12 May 2005 12:23:19 CDT, John Kristoff said:

>>I think there always has been some justification.  Here is a very
>>small sample of real traffic that I can assure is not Slammer traffic,
>>but it is being filtered nonetheless (IP addresses removed):
>>
>>  May 12 09:15:30.598 CDT[...] denied udp removed(53) -> removed(1434), 1 packet
>>  May 12 09:26:30.210 CDT[...] denied tcp removed(80) -> removed(1434), 1 packet
>>  May 12 09:32:23.122 CDT[...] denied tcp removed(80) -> removed(1434), 1 packet
>>  May 12 09:42:38.558 CDT[...] denied udp removed(123) -> removed(123), 1 packet
>>  May 12 10:12:50.422 CDT[...] denied udp removed(53) -> removed(1434), 1 packet
> 
> Looks like a good justification to *NOT* filter. Somebody nuked the reply
> packets for 2 DNS lookups and 2 hits to web pages just because the user's
> machine picked 1434 as the ephemeral port.  Oh, and one machine that
> got slapped across the face for having the temerity to ask what time it was. ;)

For TCP, you can filter it statefully, don't allow connections inbound
to 1433/1434, 135-139, etc.

For UDP, you could risk allowing source 53/123/etc either "period",
                                                       or "to >1023"
                                                       or "to 1434"
depending on the your taste, or just tolerate the collateral damage.

(And yes, there's always the wise-arse using nmap -g53 or -g123 etc)

Jeff