Security Incidents mailing list archives

Re: "Worm" behavior -- port 80 honey pots

From: Alexander Bochmann <securityfocus-incidents () freinet de>
Date: Mon, 22 Oct 2001 18:30:19 +0200

...on Mon, Oct 15, 2001 at 03:08:39PM -0600, Ryan Russell wrote:

  1) Sometimes the honey pot will send an IDENT request to the remote
system. At least one of the 'worms' in circulation recently will
immediately drop the port 80 connection when the IDENT probe is sent

I used to have this problem with firewalled mail servers.  If one of the
mail servers was configured to do ident lookups, and there was a firewall
that just dropped ident attempts (no RST), then the mail servers would sit
around for 2-5 minutes until the ident TCP connect timed out.  Only then
would the mail connection deliver any data.  This could be related, and


Don't think so; this is default behaviour with sendmail, at least.

Sendmail has a configurable timeout for ident lookups, and will 
wait for an answer until the timeout expires. Default from 
sendmail distribution is 30 seconds, but possible some vendors 
use a higher value. Don't know about other MTAs.

Alex.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

"Worm" behavior -- port 80 honey pots Jon R. Kibler (Oct 15)
- Re: "Worm" behavior -- port 80 honey pots Rich Puhek (Oct 15)
- Re: "Worm" behavior -- port 80 honey pots Ryan Russell (Oct 15)
  - Re: "Worm" behavior -- port 80 honey pots Alexander Bochmann (Oct 22)