Re: Code Red Doesn't care about TCP sessions?

From: Vern Paxson (vern@ee.lbl.gov)
Date: 08/10/01


Message-Id: <200108100436.f7A4alU18450@daffy.ee.lbl.gov>
To: mwiater@bayserve.net
Subject: Re: Code Red Doesn't care about TCP sessions?
Date: Thu, 09 Aug 2001 21:36:47 PDT
From: Vern Paxson <vern@ee.lbl.gov>


> A closer look at the data showed that many of the Code Red attacks were
> directed at machines that I KNEW were not able to receive port 80 through the
> firewalls. So how did Code Red get so far as to send the GET request when
> there was no SYN, SYN/ACK, ACK???
>
> A tcpdump showed that all of the code red communications were unidirectional.
> It didn't bother to wait (more than 350ms) for a response from the Web server
> before it sent it's ACK and then GET request. This behaviour was consistent
> for all ip addresses that could not respond via port 80 because of the
> firewall.
>
> Am I the only one to see this behaviour?

I've seen this too - very bizarre! I've tried to concoct scenarios in
which it's somehow a NAT that's run amuck, but haven't managed to put
together any that are convincing.

                Vern

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: SGS 5400 firewalls
    ... Subject: SGS 5400 firewalls ... Be advised, if the admins are smart, they have added filters to protect ... vulnerability management needs. ...
    (Pen-Test)
  • Re: ContentAvailable ignoring update with no DPs
    ... <![LOG[ContentAvailable ignoring update with no DPs for content request ID ... <![LOG[Policy is updated for Program: Adobe Acrobat Reader 6.01, Package: ... <![LOG[Attempting to retrieve default management point from ...
    (microsoft.public.sms.admin)
  • Re: Help with an LE problem
    ... :>Does your application use IMS? ... :>management, but received a return code indicating that no more space is available in the data set. ... :>43430028 The Replace module issued a space request to lengthen a segment. ... Should you use the mailblocks package and expect a response from me, ...
    (bit.listserv.ibm-main)
  • RE: Workgroup Configuration stopped working - Urgent
    ... <![LOG[Attempting to retrieve NLB default management point from ... <![LOG[Created and Sent Location Request ...
    (microsoft.public.sms.admin)
  • Re: [fw-wiz] Using linux firewalls for PCI compliant infrastructure
    ... the solution rests in you alone, and you quit, get hit by a truck, get swine ... Most management want a very defined ... on solutions with a commercial support structure vs spending time on a free ... SFTP/FTPS, PKI, Firewalls, load-balancers, web, etc. ...
    (Firewall-Wizards)