Blocking port 7 from latency probes...
jerry kemp
xcpjxk at oryx.com
Mon Oct 4 13:46:08 UTC 1999
Any sane unix admin who is required to attach his/her system to the
extranet/internet should disable unused ports and services on that
system for security purposes. Of course this should be a secondary
action to your network administrators action of blocking and filtering
possible malicious ports and traffic thru firewall's and access list on
routers.
Jerry Kemp
Jeff Taylor wrote:
>
> > Jeff> I am all in favor of latency testing throughout the Internet. In
> > Jeff> fact, I have a box on my network now that is dedicated as a probe
> > Jeff> for a project on Internet2. Why not try to marshall support for a
> > Jeff> standards based probe array instead of just scanning what ever
> > Jeff> will answer. Is that to much to ask?
> >
> >(Does this really have anything to do with bind?)
>
> I think it does since the probes originate on port 53 & are targeting
> the echo port on dns servers.
>
> >I won't attempt to justify DoubleClick's use of port 7 or their attitude
> >about it. I will point out how/why I use port 7 as a "ping" port.
>
> The "attitude" came mostly from Resonate, the makers of Global
> Products. DoubleClick just very quickly deferred all technical
> questions to Resonate.
>
> >
> >I developed and maintain a distributed concert database. All communications
> >between servers is done using XML-RPC (http://www.xmlrpc.com/ for the
> >curious). The servers are not multi-threaded, so I can't have them stall
> >while trying to talk to each other because they won't be able to respond to
> >queries. Consequently, I needed a simple, fast way to decide if a
> >downstream server was up before making a remote procedure call. UDP (not
> >TCP) to port 7 served nicely for a few reasons:
>
> Wow, that sounds cool. I'll have to check it out.
> Thank you, you help me make my point. You are using ports on machines
> that you manage.
>
> >
> > 1. I felt it would be the fastest way to check if a remote server was
> > up.
> >
> > 2. I didn't have to learn how to generate and send ICMP echo packets
> > from Python (my chosen application language in this case).
> >
> > 3. I felt that since on most Unixen port 7 echo code seems to be built
> > directly into inetd, not only would I get good performance, I'd be
> > accessing a piece of server code that was fairly well beat upon and
> > debugged already. The alternative would be to pick an arbitrary
> > high-numbered port and hang a homebrewed UDP echo server off of that.
> > Consequently, enabling it on my servers probably wasn't going to
> > increase my vulnerability to attack.
> >
> >Skip Montanaro | http://www.mojam.com/
> >skip at mojam.com | http://www.musi-cal.com/
> >847-971-7098 | Python: Programming the way Guido indented...
> >
> >
More information about the bind-users
mailing list