Is it time to block all Microsoft protocols in the core?

Sean Donelan sean at donelan.com
Mon Jan 27 08:19:33 UTC 2003


On Mon, 27 Jan 2003, Phil Rosenthal wrote:
> Has someone went and hacked the 5000 or so remaining infected hosts that
> were hackable somehow, and patched/rebooted?

Have you tried sending a UDP 1434 packet through a major Internet core
network this weekend?  Most of those machines are still blasting away,
but the packets are getting dropped.  It may be a long time before many
of those filters are ever removed. I suspect Monday morning, ISP customer
service centers are going to get calls from users asking why they can't
access their MS-SQL databases across the Internet.

Should ISPs start blocking all Microsoft protocols in self-defense?  135,
137, 138, 139, 322, 349, 445, 507, 522, 568, 569, 593, 612, 613, 691,
1232, 1270, 1433, 1434, 1477, 1478, 1512, 1607, 1711, 1723, 1731, 1745,
1801, 1863, 1895, 1900, 1944, 2106, 2234, 2382, 2383, 2393, 2394, 2460,
2504, 2525, 2701, 2702, 2703, 2704, 2724, 2869, 3020, 3074, 3126, 3132,
3268, 3269, 3343, 3389, 3535, 3544, 3587, 4350, 4500, 5678, 5679, 5720,
6073, 6588, 9753, 11320, 47624, ....

Since many of users install database products just for local use, why
does the database open up a network port on the initial installation?
Wouldn't it be better to ask the user, or only open the network port if
its being used?

Its not just a Microsoft thing.  SYSLOG opened the network port by
default, and the user has to remember to disable it for only local
logging.





More information about the NANOG mailing list