[linux-elitists] RE: Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)

Jay Sulzberger jays@panix.com
Fri Jan 31 19:35:40 PST 2003

On Fri, 31 Jan 2003, Larry M. Augustin wrote:

> > Quoting Karsten M. Self (kmself@ix.netcom.com):
> >
> > > Makes many of the same points as I do.  Though he doesn't address the
> > > "what if it happens on :80, :22, :25" problem.
> Port 80 is turning into a big problem.  I've had tis conversation with
> several chief security officers.  Everyone is now building software that
> pushes stuff through port 80, mostly because that port is generally open.
> i.e. opening up a port has become such a big deal that everyone wants to use
> port 80.  But with multiple services now being offered through port 80, all
> people have done is make ports useless, and make the problem harder by
> hiding it under port 80.  When one of these applications makes any attempt
> at security, they do something inside XML so you need an XML parser to
> enforce security.  There are a lot of companies out there now trying to
> build "port 80 firewalls" - boxes that parse everything going past port 80,
> and attempt to do something intelligent, including add security.

The tiny worm was content free.  A proper watcher system would have stopped
the worm not because the watcher analyzed the content and deduced that it
was a bad worm, but because the behavior of the node on the Net changed,
specifically some Microsoft program began spewing near duplicate UDP
packets at a high rate.

> It's strange to think that the practice of being judicious in locking down
> ports has created an even worse problem because developers are now using
> port 80 to go around the firewall.
> Larry

This is an example of a defect of thought widespread among computer
programmers: over-concreteness when thinking about computers.  Of course,
many of these same computer programmers suffer from looseness of
association when thinking about non-computer matters.


More information about the linux-elitists mailing list