Port 1434 (UDP) – MS SQL Monitor

What runs on port 1434?

UDP 1434 is the Microsoft SQL Server Resolution Service, exposed today by the SQL Server Browser. When a client wants a named instance, it sends a small UDP query here and the server replies with the dynamic TCP port (and version details) the instance is listening on. It is most relevant on hosts running named or multiple SQL Server instances.

Why it matters for security

Port 1434 made history as the vector for the SQL Slammer worm in 2003: a buffer-overflow RCE (CVE-2002-0649) in the resolution service let a single 376-byte UDP packet execute code and self-propagate, infecting most vulnerable hosts within minutes and disrupting the global internet. Even patched, the service enumerates instances and versions, handing attackers a precise map for follow-on attacks on the SQL Server TCP ports, and its small-query/large-reply shape can be abused for reflection.

How it's attacked

Attackers scan UDP 1434 to enumerate SQL instances, names, and versions, then pivot to the discovered TCP ports for brute force or known exploits. Historically, Slammer demonstrated wormable pre-auth RCE through this port, and the response asymmetry makes it usable in reflection floods.

Hardening checklist

Block UDP 1434 at the perimeter and keep SQL Server off the public internet. Where possible, disable the SQL Server Browser and assign each instance a static TCP port so clients don't need it. Keep SQL Server fully patched — Slammer-class bugs are wormable — and restrict database connectivity to trusted application hosts. Use the nmap snippet above to enumerate SQL exposure on hosts you are authorized to test.