Security Incidents mailing list archives
Re: "Worm" behavior -- port 80 honey pots
From: Alexander Bochmann <securityfocus-incidents () freinet de>
Date: Mon, 22 Oct 2001 18:30:19 +0200
...on Mon, Oct 15, 2001 at 03:08:39PM -0600, Ryan Russell wrote:
1) Sometimes the honey pot will send an IDENT request to the remote system. At least one of the 'worms' in circulation recently will immediately drop the port 80 connection when the IDENT probe is sentI used to have this problem with firewalled mail servers. If one of the mail servers was configured to do ident lookups, and there was a firewall that just dropped ident attempts (no RST), then the mail servers would sit around for 2-5 minutes until the ident TCP connect timed out. Only then would the mail connection deliver any data. This could be related, and
Don't think so; this is default behaviour with sendmail, at least. Sendmail has a configurable timeout for ident lookups, and will wait for an answer until the timeout expires. Default from sendmail distribution is 30 seconds, but possible some vendors use a higher value. Don't know about other MTAs. Alex. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- "Worm" behavior -- port 80 honey pots Jon R. Kibler (Oct 15)
- Re: "Worm" behavior -- port 80 honey pots Rich Puhek (Oct 15)
- Re: "Worm" behavior -- port 80 honey pots Ryan Russell (Oct 15)
- Re: "Worm" behavior -- port 80 honey pots Alexander Bochmann (Oct 22)