Blocking UDP Port 1434

  • In order to protect from 'slammer' kind of virus, we are planning to block UDP Port 1434 on all gateways. Named instances seems to rely on UDP Port 1434. Since TCP port the sql instance is listening on can be re-assigned, Can we reassign the UDP port 1434 as well? Any input will be appreciated. Thank you!

  • I'm not aware of any way to reassigning that port, however you could limit the traffic allowed access through that port to certain IP addresses or subnets.



    Shamless self promotion - read my blog http://sirsql.net

  • or code clients with an alias to connect to that particular server/port.

  • Thank you, guys, for the input. Can you actually code clients with an alias connect to a server/port (a named instance)? I thought for named instances, tcp ports can be coded on server and clients, but NOT UDP port 1434. Am I wrong? The following is what I get from BOL:

    'Have the network administrator configure the firewall to forward the IP address and TCP port the instance of SQL Server is listening on (using either 1433 for a default instance, or the TCP port you configured a named instance to listen on). Also configure the firewall to forward requests for UDP port 1434 on the same IP address. SQL Server 2000 uses UDP port 1434 to establish communications links from applications'

  • UDP Port is used to determine the instances and listeneing ports but if you hardcode that on an alias you don't need UDP

     


    * Noel

  • Will I have to do this on all Servers with named instances and all clients connecting to these servers? Is there an easy way out? Will the use of a Proxy Server be a better choice? Thanks again!

  • You cannot repoint UDP/1434. If you block UDP/1434 all clients will need to be specifically configured to connect to the SQL Server with the appropriate TCP port.

    A proxy server, or something that redirects the port could be used in its place. For instance, we have devices that accept connections via SSL (TCP/443) and then connect to the web servers using standard HTTP (tcp/80). The devices have SSL accelerators which blow the socks off trying to do that on a Windows server. You could do the same sort of thing for named instances, only you'd need to ensure you had separate remappings per instance.

    K. Brian Kelley
    @kbriankelley

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply