North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Blocking port udp/tcp 1433/1434
[email protected] wrote: > On Thu, 12 May 2005 12:23:19 CDT, John Kristoff said: >>I think there always has been some justification. Here is a very >>small sample of real traffic that I can assure is not Slammer traffic, >>but it is being filtered nonetheless (IP addresses removed): >> >> May 12 09:15:30.598 CDT[...] denied udp removed(53) -> removed(1434), 1 packet >> May 12 09:26:30.210 CDT[...] denied tcp removed(80) -> removed(1434), 1 packet >> May 12 09:32:23.122 CDT[...] denied tcp removed(80) -> removed(1434), 1 packet >> May 12 09:42:38.558 CDT[...] denied udp removed(123) -> removed(123), 1 packet >> May 12 10:12:50.422 CDT[...] denied udp removed(53) -> removed(1434), 1 packet > > Looks like a good justification to *NOT* filter. Somebody nuked the reply > packets for 2 DNS lookups and 2 hits to web pages just because the user's > machine picked 1434 as the ephemeral port. Oh, and one machine that > got slapped across the face for having the temerity to ask what time it was. ;) For TCP, you can filter it statefully, don't allow connections inbound to 1433/1434, 135-139, etc. For UDP, you could risk allowing source 53/123/etc either "period", or "to >1023" or "to 1434" depending on the your taste, or just tolerate the collateral damage. (And yes, there's always the wise-arse using nmap -g53 or -g123 etc) Jeff
|