North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Level3 routing issues?
- From: Marc Slemko
- Date: Sat Jan 25 15:04:46 2003
On Sat, 25 Jan 2003, Alex Rubenstein wrote:
> Including the developers of SSHD, HTTPD, NAMED, CVS?
> How about Linus? Wanna call him up?
> I am no windows cheerleader, but to think this is something that happens
> only in windows-land is whack -- might as well put your head in the sand.
It is interesting to note that one inadvertent advantage of open
source (when it requires people to compile from source, and pick
and choose options at compile time... popular distributions with
precompiled packages obviously break this to a certain degree) is
that it leads to a much more heterogenous set of software WRT
attacks like buffer overflows.
Contrast this to something that is compiled once (or a small handfull)
of times by the vendor, resulting in a much more predictable environment
for many types of exploits.
There have been several worms that have demonstrated this difference.
> Also; everyone who just posted to this list made it abundantly clear that
> they don't have a firewall in front of at least one MS SQL server on their
> network. Should you really have port 1433/4 open to the world? Would you
> do this with a MySql server?
It is interesting to note that apparently Windows NT and 2000
systems default to a somewhat dated and limited ephemeral port
range of 1024-5000 (cf. ms kb article 196271). If you are blocking
traffic on a variety of inbound UDP ports in that range using a
simple packet filter, you will randomly be blocking responses to
legitimate outbound UDP traffic, such as DNS.
Granted, in many environments there is no need to allow MS systems to
directly make DNS queries to anything outside the firewall.
There are quite disturbing reports of hosts such as activex.microsoft.com,
lawsqlsrv2.hotmail.com, etc. sourcing these packets (ie. appearing
to be infected), but they need to be taken with a grain of salt.
It is certainly possible that places who have hosts that are
otherwise firewalled (that's ok, don't need to patch them...) aren't
properly filtering UDP since it is harder to do properly if you
require support for UDP traffic.