lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2B147114-3770-11D7-AE9C-000393958954@kramse.dk>
From: hlk at kramse.dk (Henrik Lund Kramshøj)
Subject: SQL Slammer - lessons learned

On mandag, feb 3, 2003, at 12:23 Europe/Copenhagen, 
John.Airey@...b.org.uk wrote:

> I've put a lot of time into researching further into what I already 
> know
> about TCP/IP connections, and this is what I've learned:
>
> The Well Known Ports are those from 0 through 1023.
>
> The Registered Ports are those from 1024 through 49151
>
> The Dynamic and/or Private Ports are those from 49152 through 65535
> (See http://www.iana.org/assignments/port-numbers)
> ...
> A long term solution would be to separate port usage in IPv6, if this 
> has
> not already been done. ie, to keep a range of numbers that are only 
> ever
> used for connecting to external machines and the IPv6 stacks stick to 
> this
> range. This will allow for better filtering by ISPs too, although 
> someone
> will probably still find a way of getting worms onto this range. It is 
> sadly
> too late now to fix the large number of "broken" IPv4 stacks.
>
IMHO this "long term solution" is in NO WAY a solution at all, and might
hinder future communication if adopted!

Making "some ports" more special than others depending on arbitrary
ranges will not help security.

The "transport" networks, and certainly the core Internet should not put
restrictions on the port ranges that are "acceptable"
(YES I recommend end-user-networks, inside a company be seperated
and filtered from the outside Internet and also from the inside to the 
outside)

If you like you can avoid the use of IPv6 global-unicast addresses on 
your hosts
if you dont want them to connect to the Internet (or only connect using 
your
webproxies etc.)

It is hard to predict the future, but blocking certain ports in general 
will
be a bad thing, and your suggestion is IMHO letting politics decide the
future use of TCP/IP.

Best regards
--
Henrik Lund Kramsh?j
hlk@...amse.dk|inet6.dk|sikkerhedsforum.dk|security6.net}
Please read email policy at http://www.kramse.dk/email

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ