Security Incidents mailing list archives
Re: CodeRed Observations. ##
From: "Andrew Bates" <abates () omeganetserv com>
Date: Tue, 18 Mar 2003 12:38:10 -0700
Heres the article that I read about IIS and IE interactions: http://grotto11.com/blog/slash.html?+1039831658 . Besides quicker propagation, not using a handshake would allow spoofed IPs so that it would be harder to track down and fix.
If you read through to the end of the article, the author points out that they discovered NT 4.0 IP stack was performing this, and that any client or server running on top of NT would behave in this manner. So it does not appear to be a "feature" of IE or IIS, but, rather, a feature of NT 4.0. These results were also presented in 1997, and the author suggests that the NT stack may have been changed since then. Andrew ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- RE: CodeRed Observations. ## root (Mar 18)
- Re: CodeRed Observations. ## Andrew Bates (Mar 19)
- RE: CodeRed Observations. ## Rob Shein (Mar 19)