Blocking port 7 from latency probes...

jerry kemp xcpjxk at oryx.com
Mon Oct 4 13:46:08 UTC 1999 

Any sane unix admin who is required to attach his/her system to the 
extranet/internet should disable unused ports and services on that
system for security purposes.  Of course this should be a secondary
action to your network administrators action of blocking and filtering
possible malicious ports and traffic thru firewall's and access list on
routers.

Jerry Kemp



Jeff Taylor wrote:
> 
> >    Jeff> I am all in favor of latency testing throughout the Internet. In
> >    Jeff> fact, I have a box on my network now that is dedicated as a probe
> >    Jeff> for a project on Internet2. Why not try to marshall support for a
> >    Jeff> standards based probe array instead of just scanning what ever
> >    Jeff> will answer. Is that to much to ask?
> >
> >(Does this really have anything to do with bind?)
> 
> I think it does since the probes originate on port 53 & are targeting
> the echo port on dns servers.
> 
> >I won't attempt to justify DoubleClick's use of port 7 or their attitude
> >about it.  I will point out how/why I use port 7 as a "ping" port.
> 
> The "attitude" came mostly from Resonate, the makers of Global
> Products. DoubleClick just very quickly deferred all technical
> questions to Resonate.
> 
> >
> >I developed and maintain a distributed concert database.  All communications
> >between servers is done using XML-RPC (http://www.xmlrpc.com/ for the
> >curious).  The servers are not multi-threaded, so I can't have them stall
> >while trying to talk to each other because they won't be able to respond to
> >queries.  Consequently, I needed a simple, fast way to decide if a
> >downstream server was up before making a remote procedure call.  UDP (not
> >TCP) to port 7 served nicely for a few reasons:
> 
> Wow, that sounds cool. I'll have to check it out.
> Thank you, you help me make my point. You are using ports on machines
> that you manage.
> 
> >
> >    1. I felt it would be the fastest way to check if a remote server was
> >       up.
> >
> >    2. I didn't have to learn how to generate and send ICMP echo packets
> >       from Python (my chosen application language in this case).
> >
> >    3. I felt that since on most Unixen port 7 echo code seems to be built
> >       directly into inetd, not only would I get good performance, I'd be
> >       accessing a piece of server code that was fairly well beat upon and
> >       debugged already.  The alternative would be to pick an arbitrary
> >       high-numbered port and hang a homebrewed UDP echo server off of that.
> >       Consequently, enabling it on my servers probably wasn't going to
> >       increase my vulnerability to attack.
> >
> >Skip Montanaro | http://www.mojam.com/
> >skip at mojam.com | http://www.musi-cal.com/
> >847-971-7098   | Python: Programming the way Guido indented...
> >
> >

More information about the bind-users mailing list