We are inside a corporate LAN with our intranet. Our network department has firewalls/proxies between us and the...
Internet. Some of our internal machines had Sapphire. Does this mean that the firewall/proxy had ports 1433/1434 open to the world I can't get a straight answer from our guys. We always felt safe thinking that our firewall/proxy protected us from stuff like this.
Obviously I don't know the configuration of your firewall, but Sapphire, aka Slammer, uses UDP port 1434. Note that this is not TCP port 1434.
If you are using a Microsoft SQL server behind your corporate firewall that is accessible from outside the firewall, then you definitely had UDP ports 1433/1434 open, because the SQL server will not work without that.
So, to mitigate against this threat, you could have kept your systems up to date with the current patches, or you could have blocked those ports and done without an SQL server. The flaw that was exploited was reported more than six months ago, and patches have been available since then. There really was no reason for any server to be infected.
For more information on this topic, visit these other SearchSecurity.com resources:
Featured Topic: SQL Slammer update
News & Analysis: Experts warn unpatched SQL Servers still susceptible to Slammer
News & Analysis: Initial SQL worm cleanup simple; patching may not be so easy
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.