all groups > sql server connect > march 2004 >
You're in the

sql server connect

group:

UDP Port 1434 Blocking


UDP Port 1434 Blocking Wayne
3/30/2004 12:19:52 PM
sql server connect:
In order to protect from 'slammer' kind of virus, we are
planning to block UDP Port 1434 on all gateways. Named
instances seem to rely on UDP Port 1434. Since TCP port
the sql instance is listening on can be re-assigned, Can
we reassign the UDP port 1434 as well? Any input will be
appreciated. Thank you!
RE: UDP Port 1434 Blocking Mark Allison
4/1/2004 2:31:05 AM
Wayne

You can define a static port for each named instance using the server network utility and then reconfigure your clients to point to this IP address:port. You cannot use dynamic ports if UDP 1434 is blocked

-
Mark Allison, SQL Server MV
http://www.markallison.co.u
RE: UDP Port 1434 Blocking Wayne
4/1/2004 9:35:06 AM
Thank you, Mark.
[quoted text, click to view]
using the server network utility and then reconfigure your
clients to point to this IP address:port. You cannot use
dynamic ports if UDP 1434 is blocked.
[quoted text, click to view]
RE: UDP Port 1434 Blocking cgross NO[at]SPAM online.microsoft.com
4/2/2004 5:41:38 PM
For more information on static and dynamic ports, see:
823938 How to use static and dynamic port allocation in SQL Server 2000
http://support.microsoft.com/?id=823938

Also, I want to explicitly answer the question about whether you can change
the UDP 1434 port to something else - the answer is no. However, if all
instances of SQL Server and MSDE in your network are patched to SP3 or
higher then you are not vulnerble to Slammer.

Cindy Gross, MCDBA, MCSE
http://cindygross.tripod.com
This posting is provided "AS IS" with no warranties, and confers no rights.
Re: UDP Port 1434 Blocking Mike Singer
4/12/2004 7:36:35 AM
We have also blocked UDP 1434 and have to set up aliases on all the client
workstations for named instances. I would like to address the comment

"However, if all
[quoted text, click to view]
"

That is a little like saying if all the other kids in the world are
innoculated against diseases, you don't need to get your kid innoculated.
This is an insidious worm that can take down a network. We have seen home
users VPN'ed to our network cause massive data storms. Unpatched MSDE's go
up all the time since MSDE comes included w/ so many applications. Anyone
who does not block UDP 1434 at the switch level for every network that they
consider important is being extremely delinquent IMHO. This is clearly a
case of an incredibly useful feature (named Instances) being damanged
long-term by after the fact, security management.


[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages in the sql server connect group.
AddThis Social Bookmark Button
View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
home · blog · groups Questions? Comments? Contact the dn