Security Incidents mailing list archives
RE: CodeRed Observations.
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Thu, 13 Mar 2003 21:18:05 -0500
This would definately be the answer to my odd traffic. It is interesting that I have never seen any threads relating to this on any other news groups. I am going to find an IIS server somewhere in my network tomorrow and test this out. On a side note, if IIS does answer to connections with out established sessions couldn't IDS systems that track state be fooled into ignoring some attacks? If I had the stateless option turned on in my IDS to ignore stick/snot type attacks I never would have discovered any of this traffic. Food for thought. vjl -----Original Message----- From: Rob McCauley [mailto:robmccau () RadOnc Duke EDU] Sent: Thursday, March 13, 2003 1:36 PM To: Rob Shein Cc: 'larosa, vjay'; incidents () securityfocus com Subject: RE: CodeRed Observations. On Thu, 13 Mar 2003, Rob Shein wrote:
I'd be careful and make sure, if I were you. I don't think that the worm
is
stateless, as it wouldn't be able to spread if it just sent data over TCP without establishing the handshake first. When you just PSH without handshaking first, your data gets rejected.
A claim has been made that IE, IIS, and at least some flavors of Windows don't work like that. http://grotto11.com/blog/?+1039831658. I don't have time to verify the claim, but if it's true a worm spreading without the expected TCP handshake might well be possible. Rob -- ---------------------------------------------------------------------------- -- Rob McCauley Radiation Oncology Duke University Medical Center ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Re: FW: CodeRed Observations., (continued)
- Re: FW: CodeRed Observations. Russell Fulton (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
- RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. Michał Rogala (Mar 13)
- RE: CodeRed Observations. Rob McCauley (Mar 13)
- RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
- RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
- Re: CodeRed Observations. Þórhallur Hálfdánarson (Mar 14)
- RE: CodeRed Observations. Christine Kronberg (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 14)
- RE: CodeRed Observations. Bojan Zdrnja (Mar 16)
- Re: CodeRed Observations. Andrew Bates (Mar 16)
- RE: CodeRed Observations. Rob Shein (Mar 16)
- RE: CodeRed Observations. Bojan Zdrnja (Mar 16)
- RE: CodeRed Observations. Christine Kronberg (Mar 19)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 16)