RE: CodeRed Observations.
From: King, Brian (BKing@langleyfcu.org)
Date: 03/14/03
- Previous message: grwolf: "IRC DDoS bots"
- Maybe in reply to: Rob Shein: "RE: CodeRed Observations."
- Next in thread: King, Brian: "RE: CodeRed Observations."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 Mar 2003 08:43:12 -0500 From: "King, Brian" <BKing@langleyfcu.org> To: <incidents@securityfocus.com>
> I'd be careful and make sure, if I were you. I don't think that the
worm is
> stateless, as it wouldn't be able to spread if it just sent data over
TCP
> without establishing the handshake first. When you just PSH without
> handshaking first, your data gets rejected.
I had heard that too..that IIS can work without finishing the three way
handshake. Could code red II have been the result of lessons learned
from slammer? Part of the reason that slammer propagated so quickly is
that it didnt have to finish the 3 way handshake (since it used UDP) and
could therefore infect more efficiently.
Brian
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: grwolf: "IRC DDoS bots"
- Maybe in reply to: Rob Shein: "RE: CodeRed Observations."
- Next in thread: King, Brian: "RE: CodeRed Observations."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
