Cyber Security Awareness Month - Day 26 port1433/1434 MSSQL

Published: 2009-10-26
Last Updated: 2009-10-26 13:18:07 UTC
by Mark Hofman (Version: 1)
1 comment(s)

Port 1433 together with port 1434 are the ports most associated with MSSQL or to security people as the Slammer ports. 

Port 1433 is typically used for database connections, but like all TCP/IP services it does not have to be and people do move the server to a different port.  When alternate ports are used, then the SQL Server Browser, listening on port 1434, lets users connect to the database and identify which port is being used by the database.  The port is also called the MSQL monitoring port by some people. 

MSSQL has a number of security risks associated with it, most notably is the Slammer worm which appeared in January of 2003.  More than six years later it is still going around the internet and is still one of the highest hit ports in our database.  Mainly because it still works. 

Now most people do not intentionally open up database ports to the internet, but a few of the Microsoft products included the desktop edition of  MSSQL (MSDE) so many people inadvertently had these ports open and were infected.  

A number of worms/bots have also exploited MSSQL through the default SA password which for a long time was blank.  This was later fixed with a patch and has subsequently been addressed in the later versions of MSSQL.  However we still see a lot of scans for the port and in penetration tests entry is often gained through misconfigured MSSQL servers.

In short, databases are accessed by applications there is no good reason for them to be directly accessible from the internet.  

 

Mark H 

Keywords:
1 comment(s)

Comments

I remember back when the Slammer worm hit, at an ISP I worked for back then. I walked into the office, and saw the bandwidth at 80mb across the inside network. A co-located group of servers had an open SQL port, and it was hit. 12mb was coming out, and generating 80mb across all interconnect ports. It was easy to find, and easy to stop, but what a nightmare it was to see! Now something like that is normal traffic on many networks, but not back then. Amazing this thing still lives out in the wild so many years later.

-Al

Diary Archives