Security Incidents mailing list archives

RE: CodeRed Observations.

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Thu, 13 Mar 2003 21:18:05 -0500

This would definately be the answer to my odd traffic.
It is interesting that I have never seen any threads
relating to this on any other news groups. I am going 
to find an IIS server somewhere in my network tomorrow 
and test this out. 

On a side note, if IIS does answer to connections
with out established sessions couldn't IDS systems that track state
be fooled into ignoring some attacks? If I had the stateless
option turned on in my IDS to ignore stick/snot type attacks
I never would have discovered any of this traffic. Food for thought.

vjl

-----Original Message-----
From: Rob McCauley [mailto:robmccau () RadOnc Duke EDU]
Sent: Thursday, March 13, 2003 1:36 PM
To: Rob Shein
Cc: 'larosa, vjay'; incidents () securityfocus com
Subject: RE: CodeRed Observations.



On Thu, 13 Mar 2003, Rob Shein wrote:

I'd be careful and make sure, if I were you.  I don't think that the worm

is

stateless, as it wouldn't be able to spread if it just sent data over TCP
without establishing the handshake first.  When you just PSH without
handshaking first, your data gets rejected.


A claim has been made that IE, IIS, and at least some flavors of Windows 
don't work like that.  http://grotto11.com/blog/?+1039831658.  I don't
have time to verify the claim, but if it's true a worm spreading without
the expected TCP handshake might well be possible.

Rob

-- 
----------------------------------------------------------------------------
--
Rob McCauley
Radiation Oncology
Duke University Medical Center



----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Re: FW: CodeRed Observations., (continued)
- Re: FW: CodeRed Observations. Russell Fulton (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - RE: CodeRed Observations. Rob Shein (Mar 13)
    - RE: CodeRed Observations. Michał Rogala (Mar 13)
    - RE: CodeRed Observations. Rob McCauley (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - Re: CodeRed Observations. Þórhallur Hálfdánarson (Mar 14)
  - RE: CodeRed Observations. Christine Kronberg (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 14)
  - RE: CodeRed Observations. Bojan Zdrnja (Mar 16)
    - Re: CodeRed Observations. Andrew Bates (Mar 16)
    - RE: CodeRed Observations. Rob Shein (Mar 16)
  - RE: CodeRed Observations. Christine Kronberg (Mar 19)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 16)