[55311] in North American Network Operators' Group
Is it time to block all Microsoft protocols in the core?
daemon@ATHENA.MIT.EDU (Sean Donelan)
Mon Jan 27 03:20:23 2003
Date: Mon, 27 Jan 2003 03:19:33 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAA/zNkI7d3EEmn3+v5DgN/l8KAAAAQAAAAP8iiZdvaY0Wew3kH1GnZHwEAAAAA@isprime.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 27 Jan 2003, Phil Rosenthal wrote:
> Has someone went and hacked the 5000 or so remaining infected hosts that
> were hackable somehow, and patched/rebooted?
Have you tried sending a UDP 1434 packet through a major Internet core
network this weekend? Most of those machines are still blasting away,
but the packets are getting dropped. It may be a long time before many
of those filters are ever removed. I suspect Monday morning, ISP customer
service centers are going to get calls from users asking why they can't
access their MS-SQL databases across the Internet.
Should ISPs start blocking all Microsoft protocols in self-defense? 135,
137, 138, 139, 322, 349, 445, 507, 522, 568, 569, 593, 612, 613, 691,
1232, 1270, 1433, 1434, 1477, 1478, 1512, 1607, 1711, 1723, 1731, 1745,
1801, 1863, 1895, 1900, 1944, 2106, 2234, 2382, 2383, 2393, 2394, 2460,
2504, 2525, 2701, 2702, 2703, 2704, 2724, 2869, 3020, 3074, 3126, 3132,
3268, 3269, 3343, 3389, 3535, 3544, 3587, 4350, 4500, 5678, 5679, 5720,
6073, 6588, 9753, 11320, 47624, ....
Since many of users install database products just for local use, why
does the database open up a network port on the initial installation?
Wouldn't it be better to ask the user, or only open the network port if
its being used?
Its not just a Microsoft thing. SYSLOG opened the network port by
default, and the user has to remember to disable it for only local
logging.
