Security Incidents mailing list archives

RE: CodeRed Observations.

From: Michał Rogala <rogala () pro onet pl>
Date: Thu, 13 Mar 2003 23:57:25 +0100 (CET)

On Thu, 13 Mar 2003, Rob Shein wrote:

I'd be careful and make sure, if I were you.  I don't think that the worm is
stateless, as it wouldn't be able to spread if it just sent data over TCP
without establishing the handshake first.  When you just PSH without
handshaking first, your data gets rejected.


some time ago it turned out that IIS accepts HTTP requests without
TCP handshake in order to "improve" speed of transmission....(yuck!) -
I heard that MSIE 'exploits' this and therefore it is faster in some
benchmarks......


-- 
Micha? `Rogal` Rogala
rogala () pro onet pl GG:#5302321
"To nie ZUS, tu nie ma miejsca na bledy"


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

FW: CodeRed Observations. larosa, vjay (Mar 13)
- RE: CodeRed Observations. Rob Shein (Mar 13)
- Re: FW: CodeRed Observations. Russell Fulton (Mar 13)
- <Possible follow-ups>
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - RE: CodeRed Observations. Rob Shein (Mar 13)
    - RE: CodeRed Observations. Michał Rogala (Mar 13)
    - RE: CodeRed Observations. Rob McCauley (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - Re: CodeRed Observations. Þórhallur Hálfdánarson (Mar 14)
  - RE: CodeRed Observations. Christine Kronberg (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 14)
  - RE: CodeRed Observations. Bojan Zdrnja (Mar 16)
    - Re: CodeRed Observations. Andrew Bates (Mar 16)
    - RE: CodeRed Observations. Rob Shein (Mar 16)

(Thread continues...)