lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <9B66BBD37D5DD411B8CE00508B69700F033F2626@pborolocal.rnib.org.uk>
From: John.Airey at rnib.org.uk (John.Airey@...b.org.uk)
Subject: SQL Slammer - lessons learned

I've put a lot of time into researching further into what I already know
about TCP/IP connections, and this is what I've learned:

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151

The Dynamic and/or Private Ports are those from 49152 through 65535
(See http://www.iana.org/assignments/port-numbers)

Originally, services ran on the Well Known Ports only (after all, 1024 is
more than enough, since no-one would ever need more than 640KB of memory,
would they?). In time these spilled onto the Registered Ports. The last
range is a recent addition by ICANN/IANA. They don't appear in RFC 1700 (now
obsolete) http://www.rfc-editor.org/rfc/rfc1700.txt.

However, the Registered Ports have been used by TCP/IP stacks for returning
connections. ie, you connect to a web site on port 80 and the connection to
you comes back to one of these ports, chosen at random. (The only exception
that I know to this is NTP, which uses UDP port 123 at both ends of the
connection). So simply blocking a port at a router may mean that legitimate
access is broken since the workstation has no way of knowing in advance that
any router has blocked this port. That gives a 64511/1 chance of breaking
access. For large organisations (or ISPs) with thousands of workstations,
blocking a Registered Port would result in numerous failures. This is
clearly unacceptable.

A long term solution would be to separate port usage in IPv6, if this has
not already been done. ie, to keep a range of numbers that are only ever
used for connecting to external machines and the IPv6 stacks stick to this
range. This will allow for better filtering by ISPs too, although someone
will probably still find a way of getting worms onto this range. It is sadly
too late now to fix the large number of "broken" IPv4 stacks.

Clearly therefore there will always be a demand for stateful firewalls,
whether on the workstation or as separate hardware. These can block
connections being created to the Registered Ports that do not already exist.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@...b.org.uk 

Nearly everything we believe is second hand. For example, less than 500
people have seen the Earth from space, yet the majority of people believe it
is round (OK pedants, an oblate sphere).

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ