[Westwales] Made me laugh

[John Bailey]

> Of course firewalling by machine address might not be totally useful
> with a worm that spreads by UDP :-\.

Just because UDP's a stateless protocol doesn't mean that UDP packets
don't have source and destination addresses (albeit they can be forged,
but what can't?).  =)   Most firewalls I've seen have no problem filtering
UDP.

> The impact of the worm could have been a lot greater if the author had
> the foresight to set the source port to 53.

If this actually helped then I'd say it was a sloppy firewall - it usually
makes far more sense to filter on destination port rather than source
port.  In this case, simply filtering out all incoming UDP traffic bound
for port 1434 would do the trick, regardless of the source port.

> Still.. the worm could have been worse, spreading further and faster and
> with a destructive payload.

With regard to the speed and size of the infestation, you might find [1]
to be of interest. To quote:

"The Sapphire Worm was the fastest computer worm in history. As it began
spreading throughout the Internet, it doubled in size every 8.5 seconds.
It infected more than 90 percent of vulnerable hosts within 10 minutes."

There's some speculation that the worm was released as a kind of 'wakeup'
call to administrators based on the fact that it had no destructive
payload and was released over the weekend when the damage to businesses
would be less than during the week.

Cheers,

John

[1] http://www.silicondefense.com/research/sapphire/