Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Code Red Doesn't care about TCP sessions?

From: Vern Paxson <vern () ee lbl gov>
Date: Thu, 09 Aug 2001 21:36:47 PDT
A closer look at the data showed that many of the Code Red attacks were 
directed at machines that I KNEW were not able to receive port 80 through the 
firewalls. So how did Code Red get so far as to send the GET request when 
there was no SYN, SYN/ACK, ACK???

A tcpdump showed that all of the code red communications were unidirectional. 
It didn't bother to wait (more than 350ms) for a response from the Web server 
before it sent it's ACK and then GET request.  This behaviour was consistent 
for all ip addresses that could not respond via port 80 because of the 
firewall.

Am I the only one to see this behaviour?


I've seen this too - very bizarre!  I've tried to concoct scenarios in
which it's somehow a NAT that's run amuck, but haven't managed to put
together any that are convincing.

                Vern

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: