Security Incidents mailing list archives
RE: Code Red Doesn't care about TCP sessions?
From: "David LeBlanc" <dleblanc () microsoft com>
Date: Fri, 10 Aug 2001 12:24:01 -0700
This seems pretty weird to me - I can see the strings for the sockets calls in the worm. You can't get a Win2k box to ignore whether it gets a SYN-ACK using normal socket calls in any way that I'm aware of.
-----Original Message----- From: rottz () securityflaw com [mailto:rottz () securityflaw com] Sent: Thursday, August 09, 2001 4:04 PM To: mwiater () bayserve net Cc: incidents () securityfocus com Subject: Re: Code Red Doesn't care about TCP sessions?Mark Wiater wrote: A closer look at the data showed that many of the Code Red attacks were directed at machines that I KNEW were not able toreceive port 80through the firewalls. So how did Code Red get so far as tosend theGET request when there was no SYN, SYN/ACK, ACK???
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red Doesn't care about TCP sessions? Mark Wiater (Aug 09)
- Re: Code Red Doesn't care about TCP sessions? rottz (Aug 10)
- <Possible follow-ups>
- Re: Code Red Doesn't care about TCP sessions? Vern Paxson (Aug 10)
- Re: Code Red Doesn't care about TCP sessions? Mark Wiater (Aug 10)
- R: Code Red Doesn't care about TCP sessions? Giovanni Bobbio (Aug 10)
- Re: Code Red Doesn't care about TCP sessions? Mark Wiater (Aug 10)
- RE: Code Red Doesn't care about TCP sessions? David LeBlanc (Aug 10)