Re: Code Red Doesn't care about TCP sessions?

From: rottzat_private
Date: Thu Aug 09 2001 - 16:03:40 PDT

Next message: Milan Goellner: "Antw: Looking for a better scanner for CodeRed"

Previous message: Jason Brvenik: "C o d e R e d Stats script"
In reply to: Mark Wiater: "Code Red Doesn't care about TCP sessions?"
Next in thread: David LeBlanc: "RE: Code Red Doesn't care about TCP sessions?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Mark Wiater wrote:
> A closer look at the data showed that many of the Code Red attacks were
> directed at machines that I KNEW were not able to receive port 80 through the
> firewalls. So how did Code Red get so far as to send the GET request when
> there was no SYN, SYN/ACK, ACK???
Below is an attempt to reach port 80 on a windows machine running
ZoneAlarm.
ZoneAlarm blocked it, so it never sent the GET request.

08/09-07:36:19.844186 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800
len:0x3E
x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61104
**S***** Seq: 0x5597AF30   Ack: 0x0   Win: 0x4000
TCP Options => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/09-07:36:23.060729 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800
len:0x3E
x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61142
**S***** Seq: 0x5597AF30   Ack: 0x0   Win: 0x4000
TCP Options => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/09-07:36:29.624051 0:A0:C5:E5:F6:93 -> 0:1:2:37:9:A7 type:0x800
len:0x3E
x.x.x.x:2558 -> x.x.x.x:80 TCP TTL:116 TOS:0x0 ID:61194
**S***** Seq: 0x5597AF30   Ack: 0x0   Win: 0x4000
TCP Options => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> A tcpdump showed that all of the code red communications were unidirectional.
> It didn't bother to wait (more than 350ms) for a response from the Web server
> before it sent it's ACK and then GET request.  This behaviour was consistent
> for all ip addresses that could not respond via port 80 because of the
> firewall.
> 
> Am I the only one to see this behaviour?
If the firewall blocked it, I don't see why it would bother sending a
GET request, it must have thought it was an open port, I've never seen
CR send a GET request to a closed port.


Peter
-- 
rottz at securityflaw dot com
Founder of Securityflaw

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Milan Goellner: "Antw: Looking for a better scanner for CodeRed"
Previous message: Jason Brvenik: "C o d e R e d Stats script"
In reply to: Mark Wiater: "Code Red Doesn't care about TCP sessions?"
Next in thread: David LeBlanc: "RE: Code Red Doesn't care about TCP sessions?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:30:48 PDT