RE: CodeRed Observations.
From: larosa, vjay (larosa_vjay@emc.com)
Date: 03/14/03
- Previous message: Q=F3rhallur_H=E1lfd=E1narson?=: "Re: CodeRed Observations."
- Maybe in reply to: Rob Shein: "RE: CodeRed Observations."
- Next in thread: Bojan Zdrnja: "RE: CodeRed Observations."
- Reply: Bojan Zdrnja: "RE: CodeRed Observations."
- Reply: Christine Kronberg: "RE: CodeRed Observations."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "larosa, vjay" <larosa_vjay@emc.com> To: 'Rob McCauley' <robmccau@RadOnc.Duke.EDU>, Rob Shein <shoten@starpower.net> Date: Thu, 13 Mar 2003 21:18:05 -0500
This would definately be the answer to my odd traffic.
It is interesting that I have never seen any threads
relating to this on any other news groups. I am going
to find an IIS server somewhere in my network tomorrow
and test this out.
On a side note, if IIS does answer to connections
with out established sessions couldn't IDS systems that track state
be fooled into ignoring some attacks? If I had the stateless
option turned on in my IDS to ignore stick/snot type attacks
I never would have discovered any of this traffic. Food for thought.
vjl
-----Original Message-----
From: Rob McCauley [mailto:robmccau@RadOnc.Duke.EDU]
Sent: Thursday, March 13, 2003 1:36 PM
To: Rob Shein
Cc: 'larosa, vjay'; incidents@securityfocus.com
Subject: RE: CodeRed Observations.
On Thu, 13 Mar 2003, Rob Shein wrote:
> I'd be careful and make sure, if I were you. I don't think that the worm
is
> stateless, as it wouldn't be able to spread if it just sent data over TCP
> without establishing the handshake first. When you just PSH without
> handshaking first, your data gets rejected.
A claim has been made that IE, IIS, and at least some flavors of Windows
don't work like that. http://grotto11.com/blog/?+1039831658. I don't
have time to verify the claim, but if it's true a worm spreading without
the expected TCP handshake might well be possible.
Rob
-- ---------------------------------------------------------------------------- -- Rob McCauley Radiation Oncology Duke University Medical Center ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: Q=F3rhallur_H=E1lfd=E1narson?=: "Re: CodeRed Observations."
- Maybe in reply to: Rob Shein: "RE: CodeRed Observations."
- Next in thread: Bojan Zdrnja: "RE: CodeRed Observations."
- Reply: Bojan Zdrnja: "RE: CodeRed Observations."
- Reply: Christine Kronberg: "RE: CodeRed Observations."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
