> A closer look at the data showed that many of the Code Red attacks were > directed at machines that I KNEW were not able to receive port 80 through the > firewalls. So how did Code Red get so far as to send the GET request when > there was no SYN, SYN/ACK, ACK??? > > A tcpdump showed that all of the code red communications were unidirectional. > It didn't bother to wait (more than 350ms) for a response from the Web server > before it sent it's ACK and then GET request. This behaviour was consistent > for all ip addresses that could not respond via port 80 because of the > firewall. > > Am I the only one to see this behaviour? I've seen this too - very bizarre! I've tried to concoct scenarios in which it's somehow a NAT that's run amuck, but haven't managed to put together any that are convincing. Vern ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:27:49 PDT