Blocking port udp/tcp 1433/1434
Jeff Kell
jeff-kell at utc.edu
Thu May 12 20:26:55 UTC 2005
Valdis.Kletnieks at vt.edu wrote:
> On Thu, 12 May 2005 12:23:19 CDT, John Kristoff said:
>>I think there always has been some justification. Here is a very
>>small sample of real traffic that I can assure is not Slammer traffic,
>>but it is being filtered nonetheless (IP addresses removed):
>>
>> May 12 09:15:30.598 CDT[...] denied udp removed(53) -> removed(1434), 1 packet
>> May 12 09:26:30.210 CDT[...] denied tcp removed(80) -> removed(1434), 1 packet
>> May 12 09:32:23.122 CDT[...] denied tcp removed(80) -> removed(1434), 1 packet
>> May 12 09:42:38.558 CDT[...] denied udp removed(123) -> removed(123), 1 packet
>> May 12 10:12:50.422 CDT[...] denied udp removed(53) -> removed(1434), 1 packet
>
> Looks like a good justification to *NOT* filter. Somebody nuked the reply
> packets for 2 DNS lookups and 2 hits to web pages just because the user's
> machine picked 1434 as the ephemeral port. Oh, and one machine that
> got slapped across the face for having the temerity to ask what time it was. ;)
For TCP, you can filter it statefully, don't allow connections inbound
to 1433/1434, 135-139, etc.
For UDP, you could risk allowing source 53/123/etc either "period",
or "to >1023"
or "to 1434"
depending on the your taste, or just tolerate the collateral damage.
(And yes, there's always the wise-arse using nmap -g53 or -g123 etc)
Jeff
More information about the NANOG
mailing list