Security Incidents mailing list archives
Re: Code Red Doesn't care about TCP sessions?
From: Vern Paxson <vern () ee lbl gov>
Date: Thu, 09 Aug 2001 21:36:47 PDT
A closer look at the data showed that many of the Code Red attacks were directed at machines that I KNEW were not able to receive port 80 through the firewalls. So how did Code Red get so far as to send the GET request when there was no SYN, SYN/ACK, ACK??? A tcpdump showed that all of the code red communications were unidirectional. It didn't bother to wait (more than 350ms) for a response from the Web server before it sent it's ACK and then GET request. This behaviour was consistent for all ip addresses that could not respond via port 80 because of the firewall. Am I the only one to see this behaviour?
I've seen this too - very bizarre! I've tried to concoct scenarios in which it's somehow a NAT that's run amuck, but haven't managed to put together any that are convincing. Vern ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red Doesn't care about TCP sessions? Mark Wiater (Aug 09)
- Re: Code Red Doesn't care about TCP sessions? rottz (Aug 10)
- <Possible follow-ups>
- Re: Code Red Doesn't care about TCP sessions? Vern Paxson (Aug 10)
- Re: Code Red Doesn't care about TCP sessions? Mark Wiater (Aug 10)
- R: Code Red Doesn't care about TCP sessions? Giovanni Bobbio (Aug 10)
- Re: Code Red Doesn't care about TCP sessions? Mark Wiater (Aug 10)
- RE: Code Red Doesn't care about TCP sessions? David LeBlanc (Aug 10)