[Re: [Re: [Re: M$SQL cleanup incentives]]]

> > udp/1434 is not a reserved port. [...] legit
> > traffic that picked a random port to use for an ad-hoc use.
>
> it isn't legit for what i have in my network though :slight_smile:

i should clarify this - my data center has www/dns/ftp servers and a bunch
of voip gateways (mostly cisco), so they all talk on the same udp ports
(most of which are greater than 30000)

my corporate lan does have a ms sql server or two (running on nt4), but
there is no reason that those servers should be talking to anything
outside of my network (or outside of their vlan)

Really? So you're blocking udp/1434 both in and out?

yep

Got any DNS servers on your network? Any of your desktop clients use DNS?

options {
     query-source * port 53
};

Recent versions of un*x BIND will pick a random port above 1024 for udp
conversations. It can and has picked 1434.

destination port will be 53, i suppose it is possible that the client
could pick 1434 for a source.....

DNS clients will eventually timeout and fall back to another server, so
any problems would be transient, but the packets were legit, right?

on the off chance that someone's windows desktop picked 1434 for a source.
those packets however will not be leaving my network.

it may not be the best way to do all of it, but it keeps my network from
being killed (it also helps that the lan admin keeps all the servers
well patched)

-bryan bradsby
Texas State Government Net

joshua
(the grouchy ip/security/*nix guy sitting alone in the dark corner of the
office)

"Walk with me through the Universe,
And along the way see how all of us are Connected.
Feast the eyes of your Soul,
On the Love that abounds.
In all places at once, seemingly endless,
Like your own existence."
     - Stephen Hawking -