>Mark Wiater wrote: > A closer look at the data showed that many of the Code Red attacks were > directed at machines that I KNEW were not able to receive port 80 through the > firewalls. So how did Code Red get so far as to send the GET request when > there was no SYN, SYN/ACK, ACK??? Below is an attempt to reach port 80 on a windows machine running ZoneAlarm. ZoneAlarm blocked it, so it never sent the GET request. 08/09-07:36:19.844186 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800 len:0x3E x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61104 **S***** Seq: 0x5597AF30 Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/09-07:36:23.060729 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800 len:0x3E x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61142 **S***** Seq: 0x5597AF30 Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/09-07:36:29.624051 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800 len:0x3E x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61194 **S***** Seq: 0x5597AF30 Ack: 0x0 Win: 0x4000 TCP Options => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > A tcpdump showed that all of the code red communications were unidirectional. > It didn't bother to wait (more than 350ms) for a response from the Web server > before it sent it's ACK and then GET request. This behaviour was consistent > for all ip addresses that could not respond via port 80 because of the > firewall. > > Am I the only one to see this behaviour? If the firewall blocked it, I don't see why it would bother sending a GET request, it must have thought it was an open port, I've never seen CR send a GET request to a closed port. Peter -- rottz at securityflaw dot com Founder of Securityflaw ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:30:48 PDT