[80815] in North American Network Operators' Group
Re: Blocking port udp/tcp 1433/1434
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu May 12 16:04:02 2005
To: John Kristoff <jtk@northwestern.edu>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Thu, 12 May 2005 12:23:19 CDT."
<20050512172319.E3938136C83@aharp.ittns.northwestern.edu>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 12 May 2005 16:02:56 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1115928174_15361P
Content-Type: text/plain; charset=us-ascii
On Thu, 12 May 2005 12:23:19 CDT, John Kristoff said:
> I think there always has been some justification. Here is a very
> small sample of real traffic that I can assure is not Slammer traffic,
> but it is being filtered nonetheless (IP addresses removed):
>
> May 12 09:15:30.598 CDT[...] denied udp removed(53) -> removed(1434), 1 packet
> May 12 09:26:30.210 CDT[...] denied tcp removed(80) -> removed(1434), 1 packet
> May 12 09:32:23.122 CDT[...] denied tcp removed(80) -> removed(1434), 1 packet
> May 12 09:42:38.558 CDT[...] denied udp removed(123) -> removed(123), 1 packet
> May 12 10:12:50.422 CDT[...] denied udp removed(53) -> removed(1434), 1 packet
Looks like a good justification to *NOT* filter. Somebody nuked the reply
packets for 2 DNS lookups and 2 hits to web pages just because the user's
machine picked 1434 as the ephemeral port. Oh, and one machine that
got slapped across the face for having the temerity to ask what time it was. ;)
--==_Exmh_1115928174_15361P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFCg7ZucC3lWbTT17ARAjvhAKDC7kzu7tyF70VWnQb8sHGpmJ4cxQCgt+3h
ICNxoW1I9ifGd7TK/HSc1I8=
=5GXF
-----END PGP SIGNATURE-----
--==_Exmh_1115928174_15361P--
