RE: CodeRed Observations.

From: larosa, vjay (larosa_vjay@emc.com)
Date: 03/13/03

Next message: Cavey, Jean-Luc: "RE: CANADA.EXE Findings"

Previous message: Rob Shein: "RE: CodeRed Observations."
Maybe in reply to: Rob Shein: "RE: CodeRed Observations."
Next in thread: Q=F3rhallur_H=E1lfd=E1narson?=: "Re: CodeRed Observations."
Reply: Q=F3rhallur_H=E1lfd=E1narson?=: "Re: CodeRed Observations."
Reply: Christine Kronberg: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "larosa, vjay" <larosa_vjay@emc.com>
To: 'Rob Shein' <shoten@starpower.net>, incidents@securityfocus.com
Date: Thu, 13 Mar 2003 12:43:37 -0500

Some of the systems respond to a ping, none respond to
any HTTP requests. It doesn't mean that they are not
firewalled from incoming traffic though.

vjl

-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net]
Sent: Thursday, March 13, 2003 12:13 PM
To: 'larosa, vjay'; incidents@securityfocus.com
Subject: RE: CodeRed Observations.

Ok, here's another thought...is the IP address that the traffic apparently
originates from actually accessible, and is it running a vulnerable IIS? I
would think that if someone wanted to hide an attack, they'd hide amidst a
huge amount of varied attack noise, rather than something so homogenous (and
expected) as this.

> -----Original Message-----
> From: larosa, vjay [mailto:larosa_vjay@emc.com]
> Sent: Thursday, March 13, 2003 11:59 AM
> To: 'Rob Shein'; larosa, vjay; incidents@securityfocus.com
> Subject: RE: CodeRed Observations.
>
>
> Hi Rob,
>
> I'm not saying that the worm is stateless. I am saying that
> the traffic I am seeing at my border firewalls (codered
> strings) are not part of established sessions (stateless). I
> was just trying
> to figure out if this had something to do with the new
> outbreak, or if
> somebody is trying to trick me in to ignoring packets they
> don't want me to see, so they are throwing a stateless attack
> at me to hopefully hide the real attack under the guise of
> CodeRed. Call me crazy but paranoia is my middle name.
>
> vjl
>
>
> -----Original Message-----
> From: Rob Shein [mailto:shoten@starpower.net]
> Sent: Thursday, March 13, 2003 11:50 AM
> To: 'larosa, vjay'; incidents@securityfocus.com
> Subject: RE: CodeRed Observations.
>
>
> I'd be careful and make sure, if I were you. I don't think
> that the worm is stateless, as it wouldn't be able to spread
> if it just sent data over TCP without establishing the
> handshake first. When you just PSH without handshaking
> first, your data gets rejected.
>
> > -----Original Message-----
> > From: larosa, vjay [mailto:larosa_vjay@emc.com]
> > Sent: Thursday, March 13, 2003 11:32 AM
> > To: 'Rob Shein'; larosa, vjay; incidents@securityfocus.com
> > Subject: RE: CodeRed Observations.
> >
> >
> > There are no filters in place for viewing the firewall logs.
> > Even if there were, the attacks I am seeing are even targeted
> > to IP addresses that are not up and on-line in my network. So
> > how would a "get default.ida?XXX" string be sent to a host that
> > is,
> >
> > a) Not up on the network.
> > b) Behind a firewall that blocks ALL incoming port 80.
> >
> > If there is no three way handshake to set up a TCP session
> > I should not see this data trying to flow to my hosts (Dead
> > IP's or even live IP's). The traffic I am seeing is stateless
> > (Stick/Snot).
> >
> > vjl
> >
> > -----Original Message-----
> > From: Rob Shein [mailto:shoten@starpower.net]
> > Sent: Thursday, March 13, 2003 10:57 AM
> > To: 'larosa, vjay'; incidents@securityfocus.com
> > Subject: RE: CodeRed Observations.
> >
> >
> > Check your filters. You might be looking at traffic through
> > a selection filter that doesn't show the handshake, so that
> > you can concentrate on the content that passes back and
> > forth. That's what I usually find to be the case when
> > someone makes this kind of observation...
> >
> > > -----Original Message-----
> > > From: larosa, vjay [mailto:larosa_vjay@emc.com]
> > > Sent: Wednesday, March 12, 2003 7:48 PM
> > > To: 'incidents@securityfocus.com'
> > > Subject: FW: CodeRed Observations.
> > >
> > >
> > > > Hello,
> > > >
> > > > I have been watching this recent spike in CodeRed
> activity and one
> > > > thing I am noticing is the lack of TCP session
> > establishment. I am
> > > > seeing common get strings like this showing
> > > > up at my firewalls without ever establishing a TCP three
> > > way handshake. I
> > > > have seen several
> > > > hundred packets with in the last two days similar to this
> > > at my firewalls.
> > > >
> > > > 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET
> > > /default.ida 3F
> > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58
> > > ?XXXXXXXXXXXXXXX 58 58
> > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
> > > 58 58 58
> > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58
> > > 58 58 58
> > > > 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
> > > >
> > >
> >
> Snip------------------------------------------------------------------
> > > > ----
> > > > ------------------------------------------------------
> > > >
> > > > I find it awfully strange that there is no handshake
> (not even a
> > > > single SYN to try and establish a session) but these
> > > packets show up
> > > > anyway. I also am not seeing an increase of port 80
> > > > scans in my firewall logs or with any of my IDS sensors. Is
> > > anybody else
> > > > out there seeing the
> > > > same things we are?
> > > >
> > > > Thanks!
> > > >
> > > > vjl
> > > >
> > > > V.Jay LaRosa EMC Corporation
> > > > Information Security 4400 Computer Dr.
> > > > (508)898-7433 office Westboro, MA 01580
> > > > (508)353-1348 cell www.emc.com
> > > > 888-799-9750 pager larosa_vjay@emc.com
> > > >
> > > >
> > > >
> > >
> > > --------------------------------------------------------------
> > > --------------
> > >
> > > <Pre>Lose another weekend managing your IDS?
> > > Take back your personal time.
> > > 15-day free trial of StillSecure Border Guard.</Pre>
> > > <A href="http://www.securityfocus.com/stillsecure">
> > > http://www.securityfocus.com/stillsecure </A>
> > >
> > >
> >
>

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Cavey, Jean-Luc: "RE: CANADA.EXE Findings"

Previous message: Rob Shein: "RE: CodeRed Observations."
Maybe in reply to: Rob Shein: "RE: CodeRed Observations."
Next in thread: Q=F3rhallur_H=E1lfd=E1narson?=: "Re: CodeRed Observations."
Reply: Q=F3rhallur_H=E1lfd=E1narson?=: "Re: CodeRed Observations."
Reply: Christine Kronberg: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: [fw-wiz] IPS vs. Firewalls (why vs. ?)
... Proxy firewalls: Proxy firewalls are in theory good ... Any time you're parsing network traffic you're prone to ... Let's take the WMF ... And if you think _that's_ hard, try stopping an ASN.1 attack without writing ...
(Firewall-Wizards)
RE: Changes in IDS Companies?
... NIPS is just a ... > same problems that firewalls have faced in the past. ... > some companies deploy a variety of NIDS solutions for full ... It would fail to find an attack that Snort fails to find. ...
(Focus-IDS)
Re: [Full-disclosure] Universal Website Hijacking by Exploiting Firewall Content Filtering Featu
... Firewall Content Filtering Features + SonicWALL firewalls 0day ... you should consider the possibility of the attack vector ... Anyway, I'm now releasing full details on how the technique works, ...
(Full-Disclosure)
RE: CodeRed Observations.
... huge amount of varied attack noise, rather than something so homogenous (and ... > strings) are not part of established sessions (stateless). ... >> There are no filters in place for viewing the firewall logs. ... >> If there is no three way handshake to set up a TCP session ...
(Incidents)
RE: CodeRed Observations.
... I'm not saying that the worm is stateless. ... traffic I am seeing at my border firewalls ... without establishing the handshake first. ...
(Incidents)