[linux-elitists] RE: Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)
Karsten M. Self
Fri Jan 31 20:08:35 PST 2003
on Fri, Jan 31, 2003 at 10:35:40PM -0500, Jay Sulzberger (email@example.com) wrote:
> On Fri, 31 Jan 2003, Larry M. Augustin wrote:
> > > Quoting Karsten M. Self (firstname.lastname@example.org):
> > >
> > > > Makes many of the same points as I do. Though he doesn't address the
> > > > "what if it happens on :80, :22, :25" problem.
> > Port 80 is turning into a big problem. I've had tis conversation with
> > several chief security officers. Everyone is now building software that
> > pushes stuff through port 80, mostly because that port is generally open.
> > i.e. opening up a port has become such a big deal that everyone wants to use
> > port 80. But with multiple services now being offered through port 80, all
> > people have done is make ports useless, and make the problem harder by
> > hiding it under port 80. When one of these applications makes any attempt
> > at security, they do something inside XML so you need an XML parser to
> > enforce security. There are a lot of companies out there now trying to
> > build "port 80 firewalls" - boxes that parse everything going past port 80,
> > and attempt to do something intelligent, including add security.
> The tiny worm was content free. A proper watcher system would have stopped
> the worm not because the watcher analyzed the content and deduced that it
> was a bad worm, but because the behavior of the node on the Net changed,
> specifically some Microsoft program began spewing near duplicate UDP
> packets at a high rate.
Jay: you've referenced such watch programs now twice -- here and as a
"changepoint analysis" tool earlier.
I'm curious to know if you actually have such a tool in mind and/or use
one, and what it might be.
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
The truth behind the H-1B IT indentured servant scam:
More information about the linux-elitists