RE: CodeRed Observations.
From: Bojan Zdrnja (Bojan.Zdrnja@LSS.hr)
Date: 03/15/03
- Previous message: James C Slora Jr: "RE: IRC DDoS bots"
- In reply to: larosa, vjay: "RE: CodeRed Observations."
- Next in thread: Andrew Bates: "Re: CodeRed Observations."
- Reply: Andrew Bates: "Re: CodeRed Observations."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bojan Zdrnja" <Bojan.Zdrnja@LSS.hr> To: "'larosa, vjay'" <larosa_vjay@emc.com>, "'Rob McCauley'" <robmccau@RadOnc.Duke.EDU>, "'Rob Shein'" <shoten@starpower.net>, <incidents@securityfocus.com> Date: Sat, 15 Mar 2003 21:11:48 +1300
> -----Original Message-----
> From: larosa, vjay [mailto:larosa_vjay@emc.com]
> Sent: Friday, 14 March 2003 3:18 p.m.
> To: 'Rob McCauley'; Rob Shein
> Cc: larosa, vjay; incidents@securityfocus.com
> Subject: RE: CodeRed Observations.
>
>
> This would definately be the answer to my odd traffic.
> It is interesting that I have never seen any threads
> relating to this on any other news groups. I am going
> to find an IIS server somewhere in my network tomorrow
> and test this out.
I really doubt this is the way CodeRed worm works (why, see below). But, first
of all, if it actually works like this (and IE works like stated in article Rob
posted), than that means that Windows' TCP/IP *STACK* is really broken.
Basically, this has nothing to do with IIS because IIS, as any other service,
just binds socket and waits for incoming data. TCP/IP stack is the one that
processes all incoming/outgoing traffic and delivers data to the application.
Remember that TCP packets are on the transport layer (or host level if you
prefer protocol relationships) and that actual HTTP data belongs to the
application layer (the OSI model). So, TCP/IP stack on the machine receiving
packet like that should send back RST - no way that packet should be processed
and delivered to application (if that is the case spoofing becomes extremely
easy).
Remember that we're talking plain TCP/IP here, not T/TCP (Transaction TCP -
which I don't think is implemented in Windows anyway).
Now, if CodeRed uses technique which is described in that article, that means
one of these 2 things:
1) CodeRed has implemented code which sends packets as described in that
article (I doubt that).
2) Windows TCP/IP stack is really broken (I could believe this ;-)) so it sends
*all* requests that way.
It could be possible that TCP/IP stack is broken on some old Windows NT
versions (maybe unpatched 4.0), but someone should verify this.
Vjay, can you paste exactly what packets do you see on your firewall (with TCP
flags and other relevant data)?
I believe you see something very broken in case what you're seeing (or result
of some firewall/whatever before). If CodeRed used this type of propagation,
why would it ever use legal three-way hand shake? If all Windows servers worked
that way this would be enough to propagate (it can't work on Linux ie. anyway).
And I believe we would notice this sooner.
> On a side note, if IIS does answer to connections
> with out established sessions couldn't IDS systems that track state
> be fooled into ignoring some attacks? If I had the stateless
If this is the case we have other problems (spoofing :). But I'm sure it isn't.
Best regards,
Bojan Zdrnja
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: James C Slora Jr: "RE: IRC DDoS bots"
- In reply to: larosa, vjay: "RE: CodeRed Observations."
- Next in thread: Andrew Bates: "Re: CodeRed Observations."
- Reply: Andrew Bates: "Re: CodeRed Observations."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
