Blocking UDP Port 1434

Question

Blocking UDP Port 1434

wmp789

SSCarpal Tunnel

Points: 4354
More actions
March 30, 2004 at 12:52 pm

#65118

In order to protect from 'slammer' kind of virus, we are planning to block UDP Port 1434 on all gateways. Named instances seems to rely on UDP Port 1434. Since TCP port the sql instance is listening on can be re-assigned, Can we reassign the UDP port 1434 as well? Any input will be appreciated. Thank you!

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply

Nicholas Cain SSC-Dedicated Points: 33009 More actions · Answer 1

I'm not aware of any way to reassigning that port, however you could limit the traffic allowed access through that port to certain IP addresses or subnets.

Shamless self promotion - read my blog http://sirsql.net

Steve Jones - SSC Editor SSC Guru Points: 736478 More actions · Answer 2

or code clients with an alias to connect to that particular server/port.

wmp789 SSCarpal Tunnel Points: 4354 More actions · Answer 3

Thank you, guys, for the input. Can you actually code clients with an alias connect to a server/port (a named instance)? I thought for named instances, tcp ports can be coded on server and clients, but NOT UDP port 1434. Am I wrong? The following is what I get from BOL:

'Have the network administrator configure the firewall to forward the IP address and TCP port the instance of SQL Server is listening on (using either 1433 for a default instance, or the TCP port you configured a named instance to listen on). Also configure the firewall to forward requests for UDP port 1434 on the same IP address. SQL Server 2000 uses UDP port 1434 to establish communications links from applications'

noeld SSC Guru Points: 96590 More actions · Answer 4

UDP Port is used to determine the instances and listeneing ports but if you hardcode that on an alias you don't need UDP

* Noel

wmp789 SSCarpal Tunnel Points: 4354 More actions · Answer 5

Will I have to do this on all Servers with named instances and all clients connecting to these servers? Is there an easy way out? Will the use of a Proxy Server be a better choice? Thanks again!

K. Brian Kelley SSC Guru Points: 114642 More actions · Answer 6

You cannot repoint UDP/1434. If you block UDP/1434 all clients will need to be specifically configured to connect to the SQL Server with the appropriate TCP port.

A proxy server, or something that redirects the port could be used in its place. For instance, we have devices that accept connections via SSL (TCP/443) and then connect to the web servers using standard HTTP (tcp/80). The devices have SSL accelerators which blow the socks off trying to do that on a Windows server. You could do the same sort of thing for named instances, only you'd need to ensure you had separate remappings per instance.

K. Brian Kelley
@kbriankelley