Norton Firewall "MSSQL_Null_Packet_DoS"

TheMSsForum.com: The Microsoft Software Forum

I'm using an application to manipulate data in SQL server database on a
remote computer.
Sometimes when I use this application I'm getting this message on my Norton
Personal Firewall and the application terminates:
'Attempted Intrusion "MSSQL_Null_Packet_DoS" from your machine against [IP]
was detected and blocked.'
The program was written by a new small company and I can't change the code.

If I'm running this program on a computer without firewall, it works fine.

My question is how I can allow this kind of communication for this
application only in my Norton Personal Firewall without disabling the
firewall.
Top

Re: Norton Firewall "MSSQL_Null_Packet_DoS" by Bob

Bob
Mon Dec 20 07:01:32 CST 2004

"A new small company" should be very responsive. Have you tried contacting
them about the situation, giving them the repro steps, and asking them for a
solution?

--
Bob McCoy
* This posting is provided "AS IS" with no warranties, and confers no
rights.
* Please note I cannot respond to email questions. Please use these
newsgroups.

"Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message
news:37D05676-14E5-4256-9E73-104A3A4B6395@microsoft.com...
> I'm using an application to manipulate data in SQL server database on a
> remote computer.
> Sometimes when I use this application I'm getting this message on my
> Norton
> Personal Firewall and the application terminates:
> 'Attempted Intrusion "MSSQL_Null_Packet_DoS" from your machine against
> [IP]
> was detected and blocked.'
> The program was written by a new small company and I can't change the
> code.
>
> If I'm running this program on a computer without firewall, it works fine.
>
> My question is how I can allow this kind of communication for this
> application only in my Norton Personal Firewall without disabling the
> firewall.


Top

Re: Norton Firewall "MSSQL_Null_Packet_DoS" by AlexLevi

AlexLevi
Mon Dec 20 08:59:01 CST 2004

Yes I did, and they can not find anything wrong with the application and it
probably because they aren't using norton personal firewall.
This progarm is NOT a virus or a spyware or anything like that.



"Bob McCoy [MSFT]" wrote:

> "A new small company" should be very responsive. Have you tried contacting
> them about the situation, giving them the repro steps, and asking them for a
> solution?
>
> --
> Bob McCoy
> * This posting is provided "AS IS" with no warranties, and confers no
> rights.
> * Please note I cannot respond to email questions. Please use these
> newsgroups.
>
> "Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message
> news:37D05676-14E5-4256-9E73-104A3A4B6395@microsoft.com...
> > I'm using an application to manipulate data in SQL server database on a
> > remote computer.
> > Sometimes when I use this application I'm getting this message on my
> > Norton
> > Personal Firewall and the application terminates:
> > 'Attempted Intrusion "MSSQL_Null_Packet_DoS" from your machine against
> > [IP]
> > was detected and blocked.'
> > The program was written by a new small company and I can't change the
> > code.
> >
> > If I'm running this program on a computer without firewall, it works fine.
> >
> > My question is how I can allow this kind of communication for this
> > application only in my Norton Personal Firewall without disabling the
> > firewall.
>
>
>
Top

Re: Norton Firewall "MSSQL_Null_Packet_DoS" by Tim

Tim
Mon Dec 20 12:18:36 CST 2004

Tell the developers to make their code NOT send Null packets on port 1433.
This could be misconstrued as a variant SQL Slammer attack, and they WILL
run into this problem all over the place, so it is definitely in their
interest to fix this !


"Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message
news:37D05676-14E5-4256-9E73-104A3A4B6395@microsoft.com...
> I'm using an application to manipulate data in SQL server database on a
> remote computer.
> Sometimes when I use this application I'm getting this message on my
Norton
> Personal Firewall and the application terminates:
> 'Attempted Intrusion "MSSQL_Null_Packet_DoS" from your machine against
[IP]
> was detected and blocked.'
> The program was written by a new small company and I can't change the
code.
>
> If I'm running this program on a computer without firewall, it works fine.
>
> My question is how I can allow this kind of communication for this
> application only in my Norton Personal Firewall without disabling the
> firewall.


Top

Re: Norton Firewall "MSSQL_Null_Packet_DoS" by AlexLevi

AlexLevi
Mon Dec 20 13:37:03 CST 2004

I have contacted this company and they are using standart ODBC connection
using PowerBuilder. They have no idea how to prevent from sending data on
custom ports.
The connection in PowerBuilder:
SQLCA.DBMS = "ODBC"
SQLCA.AutoCommit = False
SQLCA.DBParm = "ConnectString='DSN=... ;UID=... ;PWD=...
CONNECT Using SQLCA;

And the commands used are standart too (update, insert ...)
Any idea how to help them fix it?



"Tim Holman (MVP - Security)" wrote:

> Tell the developers to make their code NOT send Null packets on port 1433.
> This could be misconstrued as a variant SQL Slammer attack, and they WILL
> run into this problem all over the place, so it is definitely in their
> interest to fix this !
>
>
> "Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message
> news:37D05676-14E5-4256-9E73-104A3A4B6395@microsoft.com...
> > I'm using an application to manipulate data in SQL server database on a
> > remote computer.
> > Sometimes when I use this application I'm getting this message on my
> Norton
> > Personal Firewall and the application terminates:
> > 'Attempted Intrusion "MSSQL_Null_Packet_DoS" from your machine against
> [IP]
> > was detected and blocked.'
> > The program was written by a new small company and I can't change the
> code.
> >
> > If I'm running this program on a computer without firewall, it works fine.
> >
> > My question is how I can allow this kind of communication for this
> > application only in my Norton Personal Firewall without disabling the
> > firewall.
>
>
>
Top

Re: Norton Firewall "MSSQL_Null_Packet_DoS" by Jim

Jim
Mon Dec 20 21:41:45 CST 2004

"Alex Levi" wrote in message.
>snip
> My question is how I can allow this kind of communication for this
> application only in my Norton Personal Firewall without disabling the
> firewall.

In NIS/NPF you have the option to exclude certain signatures in the IDS.
http://www.gpick.com/agnisrules/pages/settings/settings_pg4.html

For information on the signatures:
http://securityresponse.symantec.com/avcenter/nis_ids/

Regards,

Jim
MVP - Security


Top

Re: Norton Firewall "MSSQL_Null_Packet_DoS" by Tim

Tim
Tue Dec 21 07:50:49 CST 2004

Put something in here:

SQLCA.DBParm = "ConnectString='DSN=... ;UID=... ;PWD=...

..at the moment, it's empty, and thus a 'null' packet.

"Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message
news:4AFFDCD9-448D-45C4-B43D-4FE8D1EA35EF@microsoft.com...
> I have contacted this company and they are using standart ODBC connection
> using PowerBuilder. They have no idea how to prevent from sending data on
> custom ports.
> The connection in PowerBuilder:
> SQLCA.DBMS = "ODBC"
> SQLCA.AutoCommit = False
> SQLCA.DBParm = "ConnectString='DSN=... ;UID=... ;PWD=...
> CONNECT Using SQLCA;
>
> And the commands used are standart too (update, insert ...)
> Any idea how to help them fix it?
>
>
>
> "Tim Holman (MVP - Security)" wrote:
>
> > Tell the developers to make their code NOT send Null packets on port
1433.
> > This could be misconstrued as a variant SQL Slammer attack, and they
WILL
> > run into this problem all over the place, so it is definitely in their
> > interest to fix this !
> >
> >
> > "Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message
> > news:37D05676-14E5-4256-9E73-104A3A4B6395@microsoft.com...
> > > I'm using an application to manipulate data in SQL server database on
a
> > > remote computer.
> > > Sometimes when I use this application I'm getting this message on my
> > Norton
> > > Personal Firewall and the application terminates:
> > > 'Attempted Intrusion "MSSQL_Null_Packet_DoS" from your machine against
> > [IP]
> > > was detected and blocked.'
> > > The program was written by a new small company and I can't change the
> > code.
> > >
> > > If I'm running this program on a computer without firewall, it works
fine.
> > >
> > > My question is how I can allow this kind of communication for this
> > > application only in my Norton Personal Firewall without disabling the
> > > firewall.
> >
> >
> >


Top

Re: Norton Firewall "MSSQL_Null_Packet_DoS" by AlexLevi

AlexLevi
Tue Dec 21 08:31:01 CST 2004

SQLCA.DBParm = "ConnectString='DSN=[IP];UID=[UserName];PWD=[Password]"

I just didn't include it in the message (for a security reasons) but the IP,
username and password does exist in the string, so it's not a 'null' packet.



"Tim Holman (MVP - Security)" wrote:

> Put something in here:
>
> SQLCA.DBParm = "ConnectString='DSN=... ;UID=... ;PWD=...
>
> ...at the moment, it's empty, and thus a 'null' packet.
>
> "Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message
> news:4AFFDCD9-448D-45C4-B43D-4FE8D1EA35EF@microsoft.com...
> > I have contacted this company and they are using standart ODBC connection
> > using PowerBuilder. They have no idea how to prevent from sending data on
> > custom ports.
> > The connection in PowerBuilder:
> > SQLCA.DBMS = "ODBC"
> > SQLCA.AutoCommit = False
> > SQLCA.DBParm = "ConnectString='DSN=... ;UID=... ;PWD=...
> > CONNECT Using SQLCA;
> >
> > And the commands used are standart too (update, insert ...)
> > Any idea how to help them fix it?
> >
> >
> >
> > "Tim Holman (MVP - Security)" wrote:
> >
> > > Tell the developers to make their code NOT send Null packets on port
> 1433.
> > > This could be misconstrued as a variant SQL Slammer attack, and they
> WILL
> > > run into this problem all over the place, so it is definitely in their
> > > interest to fix this !
> > >
> > >
> > > "Alex Levi" <AlexLevi@discussions.microsoft.com> wrote in message
> > > news:37D05676-14E5-4256-9E73-104A3A4B6395@microsoft.com...
> > > > I'm using an application to manipulate data in SQL server database on
> a
> > > > remote computer.
> > > > Sometimes when I use this application I'm getting this message on my
> > > Norton
> > > > Personal Firewall and the application terminates:
> > > > 'Attempted Intrusion "MSSQL_Null_Packet_DoS" from your machine against
> > > [IP]
> > > > was detected and blocked.'
> > > > The program was written by a new small company and I can't change the
> > > code.
> > > >
> > > > If I'm running this program on a computer without firewall, it works
> fine.
> > > >
> > > > My question is how I can allow this kind of communication for this
> > > > application only in my Norton Personal Firewall without disabling the
> > > > firewall.
> > >
> > >
> > >
>
>
>
Top