Re: Code red variants?

[Russell Fulton <r.fulton () auckland ac nz>]

I now have an explaination for this, see appended message from NEXTRA 
who own the addresses where these packets come from.

This still begs the question of the exact mechanism but I think we are 
on the right track.  Nextra are blocking code red connections at their 
transparent proxy but something is coming unstuck.


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


> > From: Russell Fulton <r.fulton () auckland ac nz>
> > Sender: r.fulton () auckland ac nz
> > To: abuse () online no
> > Subject: strange code red segments from 130.67/16
> > Date: Thu, 6 Sep 2001 16:40:50 +1200 (NZST)
> > Priority: NORMAL
> > X-Mailer: Simeon for Solaris Motif Version 4.1.5 Build (43)
> > X-Authentication: IMSP
> >
> > Greetings,
> >          I have observed a stream of ACK packets (with no SYN) 
coming 
> > from various addresses in 130.67.  All of these packets appear to 
> > contain nearly identical payload being part of (2nd packet ?) of the 
> > code red stream.
> >
> > I am wondering if you have something (a proxy ?) that is blocking the 
> > SYN and first packet (that contains the url) but is allowing the 
latter 
> > packets out?

Yes, we do block outgoing code red attacks using transparent proxies.
But I cannot explain why only the first packet is blocked. The proxies
should of course operate on a session level and not on a packet
level. At the momemt the only explanation I can think of is a failure
of our redirecting equipment. I will have to look further into that. It 
does not sound good..

Thanks for your report.


Bjørn Mork
Nextra




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com