Ive been getting hammered by an MS-SQL Worm propagation attempt, UDP port 1434.

Im trying to block it like this:
/sbin/iptables -A INPUT -p UDP -i eth1 --dport 1434 -s 0/0 -j DROP

My question is, do I need the source (-s 0/0) or could I just leave it out and append the INPUT argument like this:

/sbin/iptables -A INPUT -p UDP -i eth1 --dport 1434 -j DROP

You shouldn't need to source - by default it will block everything (are you sure it runs over udp though?).

My IDS gives me a port # and possible cause. It does not give me a protocol. I looked up (google) "port 1434".
My IDS says, "MS-SQL Worm propagation attempt"... So does google but I got conflicting stories. So I blocked 1434 TCP & UDP.

I tried this today & cleared my logs(still awaiting on the outcome):

# block MS-SQL Worm propagation attempt
/sbin/iptables -A INPUT -p UDP -i $RED_DEV --dport 1434 -s 0/0 -j DROP
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1434 -s 0/0 -j DROP

# Logging TCP ports 1024 - 65535, but 1434
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1024:1433 --syn -j LOG
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1435:65535 --syn -j LOG

# STEALTHING TCP ports 1024 - 65535, but 1434
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1024:1433 --syn -j DROP
/sbin/iptables -A INPUT -p TCP -i $RED_DEV --dport 1435:65535 --syn -j DROP

Im also trying to stealth TCP 1024 - 65535.
I read that I couldnt have 2 rules addressing the same port, so I excluded it from my Log & drop/stealth between 1024 - 65535.

I hope that works...