dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8
share rss forum feed


SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
reply to atangel

Re: Blackice "Witty" Worm: source port 4000 UDP

It is ironic how in this case running a "security product" makes you actually more vulnerable.

This is just a reminder that computer security is never a "set-it-and-forget-it" process.

I wonder why the author decided to keep the source port constant? Implementation of a random source port would have made this even nastier to track.


psloss
Premium
join:2002-02-24
Lebanon, KS

said by SYNACK:
I wonder why the author decided to keep the source port constant? Implementation of a random source port would have made this even nastier to track.
I was/am wondering that, too, but it occurred to me that it's probably faster to bind to a single port and then fire out 20000 packets than to both grab a new source port (indirectly via the OS) and send out the packet 20000 times. (Notice how I made the former sound faster... )

That's what I was speculating about with "performance" above.

I do agree that letting the OS pick an open ephemeral port would make this harder to track.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org