Port Authority Edition – Internet Vulnerability Profiling
by Steve Gibson,  Gibson Research Corporation.





Goto Port 1433
Probe Port 1434
Enter Port: 0-65535
Goto Port 1435



Port Authority Database

Port 1434

Name: 
ms-sql-m

Purpose: 
Microsoft-SQL-Monitor

Description: 
Microsoft's SQL Server, including the desktop editions that are often silently installed with other Microsoft applications, opens and services queries delivered over incoming UDP connections through this port.

This port was made famous (literally) overnight by the fastest moving worm the Internet had ever seen at that time: The infamous "SQL Slammer" worm.

Related Ports: 
1433




Background and Additional Information:

This UDP protocol port hosted the fastest moving and aggressively propagating Internet worm that had ever been seen at the time. This worm spread rapidly across the Internet by finding and infecting instances of Microsoft's insecure and exploitable SQL Server, including the widely distributed desktop edition that is silently built into many non-database products.

The worm's spread was expedited by the fact that it used the "connectionless" UDP protocol which allowed the transmission and acceptance of a single, small Internet datagram to infect and commandeer a remote host system.

For additional information, see our page regarding this event.

A security observation:

While we are sure that Microsoft was disappointed by the fact that another security defect was made very public after their much-touted "Trustworthy Computing" initiative had been in place (and their month long, code reviewing, development moratorium had been completed), our argument with Microsoft is NOT that they made the mistake of allowing a security vulnerability to escape their testing. Anyone can make a mistake.

Our pervasive and continuing complaint with Microsoft is that all of those port 1433 and 1434's were wide open to the external Internet in the first place. This was not a coding mistake, this was a design decision — and that is not forgivable. It means that Microsoft still doesn't understand the simple requirements for Internet security. Of the hundreds of thousands of vulnerable SQL servers that were quickly discovered and compromised by the SQL Slammer worm, probably NONE of them actually needed or intended to be offering SQL database services to the entire Internet. Yet Microsoft's default settings and installation made it so. Had they made the decision not to open those ports by default, the coding mistake would have had little effect or consequence.

We will never see secure products from Microsoft until their engineers and developers learn that Windows Internet services, dangerous or not, wanted or not, useful or not, must NOT be installed and running without the express permission and intention of their users.

Until then, it will be the responsibility of individual security aware end-users to protect themselves and their Windows-based personal computers from the continuing disasters visited upon the Internet community through Microsoft's engineering.

Trojan Sightings: (UDP Protocol Only) SQL Slammer

The entire contents of this page is copyright © 2008 by Gibson Research Corporation.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page