Security Incidents mailing list archives
Re: Code Red Doesn't care about TCP sessions?
From: rottz () securityflaw com
Date: Thu, 09 Aug 2001 18:03:40 -0500
Mark Wiater wrote: A closer look at the data showed that many of the Code Red attacks were directed at machines that I KNEW were not able to receive port 80 through the firewalls. So how did Code Red get so far as to send the GET request when there was no SYN, SYN/ACK, ACK???
Below is an attempt to reach port 80 on a windows machine running ZoneAlarm. ZoneAlarm blocked it, so it never sent the GET request. 08/09-07:36:19.844186 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800 len:0x3E x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61104 **S***** Seq: 0x5597AF30 Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/09-07:36:23.060729 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800 len:0x3E x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61142 **S***** Seq: 0x5597AF30 Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/09-07:36:29.624051 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800 len:0x3E x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61194 **S***** Seq: 0x5597AF30 Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A tcpdump showed that all of the code red communications were unidirectional. It didn't bother to wait (more than 350ms) for a response from the Web server before it sent it's ACK and then GET request. This behaviour was consistent for all ip addresses that could not respond via port 80 because of the firewall. Am I the only one to see this behaviour?
If the firewall blocked it, I don't see why it would bother sending a GET request, it must have thought it was an open port, I've never seen CR send a GET request to a closed port. Peter -- rottz at securityflaw dot com Founder of Securityflaw ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red Doesn't care about TCP sessions? Mark Wiater (Aug 09)
- Re: Code Red Doesn't care about TCP sessions? rottz (Aug 10)
- <Possible follow-ups>
- Re: Code Red Doesn't care about TCP sessions? Vern Paxson (Aug 10)
- Re: Code Red Doesn't care about TCP sessions? Mark Wiater (Aug 10)
- R: Code Red Doesn't care about TCP sessions? Giovanni Bobbio (Aug 10)
- Re: Code Red Doesn't care about TCP sessions? Mark Wiater (Aug 10)
- RE: Code Red Doesn't care about TCP sessions? David LeBlanc (Aug 10)