Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)

Karsten M. Self kmself@ix.netcom.com
Fri Jan 31 19:28:56 PST 2003


on Fri, Jan 31, 2003 at 06:14:47PM -0800, Larry M. Augustin (lma@lmaugustin.com) wrote:
> > Quoting Karsten M. Self (kmself@ix.netcom.com):
> > 
> > > Makes many of the same points as I do.  Though he doesn't address the
> > > "what if it happens on :80, :22, :25" problem.
> 
> Port 80 is turning into a big problem.  I've had tis conversation with
> several chief security officers.  Everyone is now building software
> that pushes stuff through port 80, mostly because that port is
> generally open.  i.e. opening up a port has become such a big deal
> that everyone wants to use port 80.  But with multiple services now
> being offered through port 80, all people have done is make ports
> useless, and make the problem harder by hiding it under port 80.  When
> one of these applications makes any attempt at security, they do
> something inside XML so you need an XML parser to enforce security.
> There are a lot of companies out there now trying to build "port 80
> firewalls" - boxes that parse everything going past port 80, and
> attempt to do something intelligent, including add security.
> 
> It's strange to think that the practice of being judicious in locking
> down ports has created an even worse problem because developers are
> now using port 80 to go around the firewall.

This is a situation that some of us have forseen for quite some time.  I
first becmae aware of it a couple of years ago interviewing with a
security firm who was having trouble doing vulnerability assessments,
and phoning home, from within corporate networks, due to firewall
policies blocking useful ports.

There's an apocryphal story of a consultant who created an
implementation of NFS over SMTP to demonstrate that regardless of
arbitrary restrictions, if data were allowed in and out of the system,
a given protocol could be implemented.  Latency was high, but on
sufficiently large transfers, throughput was pretty good.  This is
supposed to have been done by Marcus Ranum.

I can't find the source of this, but a reference:

    http://www.sandelman.ottawa.on.ca/ipsec/1999/08/msg00062.html
    http://208.171.236.113/cypherpunks/C-punks20020722/0019.html

There's some oblique discussion here:

    http://www.cerias.purdue.edu/coast/firewalls/firewalls_bof_95.txt

It's a typical case of grade inflation or indicator abuse.  As more and
more ports are blocked based on the context they represent, the context
itself is warped.

Security remains a moving target.  Future schemes will have to adapt to
their environment.

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Moderator, Free Software Law Discussion mailing list:
     http://lists.alt.org/mailman/listinfo/fsl-discuss/



More information about the linux-elitists mailing list