Re: Code Red Doesn't care about TCP sessions?
From: rottz@securityflaw.comDate: 08/10/01
- Previous message: ghandi@ghandi.org: "Re: Code Red(s) being confused with sadmind/IIS worm?"
- In reply to: Mark Wiater: "Code Red Doesn't care about TCP sessions?"
- Next in thread: Vern Paxson: "Re: Code Red Doesn't care about TCP sessions?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B7316CC.B95D09E8@securityflaw.com> Date: Thu, 09 Aug 2001 18:03:40 -0500 From: rottz@securityflaw.com To: mwiater@bayserve.net Subject: Re: Code Red Doesn't care about TCP sessions?
>Mark Wiater wrote:
> A closer look at the data showed that many of the Code Red attacks were
> directed at machines that I KNEW were not able to receive port 80 through the
> firewalls. So how did Code Red get so far as to send the GET request when
> there was no SYN, SYN/ACK, ACK???
Below is an attempt to reach port 80 on a windows machine running
ZoneAlarm.
ZoneAlarm blocked it, so it never sent the GET request.
08/09-07:36:19.844186 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800
len:0x3E
x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61104
**S***** Seq: 0x5597AF30 Ack: 0x0 Win: 0x4000
TCP Options => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/09-07:36:23.060729 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800
len:0x3E
x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61142
**S***** Seq: 0x5597AF30 Ack: 0x0 Win: 0x4000
TCP Options => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/09-07:36:29.624051 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800
len:0x3E
x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61194
**S***** Seq: 0x5597AF30 Ack: 0x0 Win: 0x4000
TCP Options => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> A tcpdump showed that all of the code red communications were unidirectional.
> It didn't bother to wait (more than 350ms) for a response from the Web server
> before it sent it's ACK and then GET request. This behaviour was consistent
> for all ip addresses that could not respond via port 80 because of the
> firewall.
>
> Am I the only one to see this behaviour?
If the firewall blocked it, I don't see why it would bother sending a
GET request, it must have thought it was an open port, I've never seen
CR send a GET request to a closed port.
Peter
-- rottz at securityflaw dot com Founder of Securityflaw---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: ghandi@ghandi.org: "Re: Code Red(s) being confused with sadmind/IIS worm?"
- In reply to: Mark Wiater: "Code Red Doesn't care about TCP sessions?"
- Next in thread: Vern Paxson: "Re: Code Red Doesn't care about TCP sessions?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
