Re: Code Red Doesn't care about TCP sessions?

From: Vern Paxson (
Date: 08/10/01

Message-Id: <>
Subject: Re: Code Red Doesn't care about TCP sessions?
Date: Thu, 09 Aug 2001 21:36:47 PDT
From: Vern Paxson <>

> A closer look at the data showed that many of the Code Red attacks were
> directed at machines that I KNEW were not able to receive port 80 through the
> firewalls. So how did Code Red get so far as to send the GET request when
> there was no SYN, SYN/ACK, ACK???
> A tcpdump showed that all of the code red communications were unidirectional.
> It didn't bother to wait (more than 350ms) for a response from the Web server
> before it sent it's ACK and then GET request. This behaviour was consistent
> for all ip addresses that could not respond via port 80 because of the
> firewall.
> Am I the only one to see this behaviour?

I've seen this too - very bizarre! I've tried to concoct scenarios in
which it's somehow a NAT that's run amuck, but haven't managed to put
together any that are convincing.


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

Relevant Pages

  • Re: ContentAvailable ignoring update with no DPs
    ... <![LOG[ContentAvailable ignoring update with no DPs for content request ID ... <![LOG[Policy is updated for Program: Adobe Acrobat Reader 6.01, Package: ... <![LOG[Attempting to retrieve default management point from ...
  • Re: Help with an LE problem
    ... :>Does your application use IMS? ... :>management, but received a return code indicating that no more space is available in the data set. ... :>43430028 The Replace module issued a space request to lengthen a segment. ... Should you use the mailblocks package and expect a response from me, ...
  • RE: SGS 5400 firewalls
    ... Subject: SGS 5400 firewalls ... Be advised, if the admins are smart, they have added filters to protect ... vulnerability management needs. ...
  • RE: Workgroup Configuration stopped working - Urgent
    ... <![LOG[Attempting to retrieve NLB default management point from ... <![LOG[Created and Sent Location Request ...
  • Re: Is it possible to create a secure AD environment for widely dispersed PCs behind other instiutio
    ... something similar can be done with different VNC ... management traffic would need to be sent encrypted so I am wondering if this ... VNC will not work through standard firewalls, ... control all the machines. ...