Security Incidents mailing list archives

Re: CodeRed Observations. ##

From: "Andrew Bates" <abates () omeganetserv com>
Date: Tue, 18 Mar 2003 12:38:10 -0700

Heres the article that I read about IIS and IE interactions:
http://grotto11.com/blog/slash.html?+1039831658 . Besides quicker
propagation, not using a handshake would allow spoofed IPs so that it
would be harder to track down and fix.


If you read through to the end of the article, the author points out that
they discovered NT 4.0 IP stack was performing this, and that any client or
server running on top of NT would behave in this manner.  So it does not
appear to be a "feature" of IE or IIS, but, rather, a feature of NT 4.0.

These results were also presented in 1997, and the author suggests that the
NT stack may have been changed since then.

Andrew


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

RE: CodeRed Observations. ## root (Mar 18)
- Re: CodeRed Observations. ## Andrew Bates (Mar 19)
- RE: CodeRed Observations. ## Rob Shein (Mar 19)