[linux-elitists] RE: Robert Graham's SQL Slammer analysis (was Re: [linux-elitists] MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!)

Karsten M. Self kmself@ix.netcom.com
Fri Jan 31 20:08:35 PST 2003

on Fri, Jan 31, 2003 at 10:35:40PM -0500, Jay Sulzberger (jays@panix.com) wrote:
> On Fri, 31 Jan 2003, Larry M. Augustin wrote:
> > > Quoting Karsten M. Self (kmself@ix.netcom.com):
> > >
> > > > Makes many of the same points as I do.  Though he doesn't address the
> > > > "what if it happens on :80, :22, :25" problem.
> >
> > Port 80 is turning into a big problem.  I've had tis conversation with
> > several chief security officers.  Everyone is now building software that
> > pushes stuff through port 80, mostly because that port is generally open.
> > i.e. opening up a port has become such a big deal that everyone wants to use
> > port 80.  But with multiple services now being offered through port 80, all
> > people have done is make ports useless, and make the problem harder by
> > hiding it under port 80.  When one of these applications makes any attempt
> > at security, they do something inside XML so you need an XML parser to
> > enforce security.  There are a lot of companies out there now trying to
> > build "port 80 firewalls" - boxes that parse everything going past port 80,
> > and attempt to do something intelligent, including add security.
> The tiny worm was content free.  A proper watcher system would have stopped
> the worm not because the watcher analyzed the content and deduced that it
> was a bad worm, but because the behavior of the node on the Net changed,
> specifically some Microsoft program began spewing near duplicate UDP
> packets at a high rate.

Jay:  you've referenced such watch programs now twice -- here and as a
"changepoint analysis" tool earlier.

I'm curious to know if you actually have such a tool in mind and/or use
one, and what it might be.


Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    The truth behind the H-1B IT indentured servant scam:

More information about the linux-elitists mailing list