I now have an explaination for this, see appended message from NEXTRA who own the addresses where these packets come from. This still begs the question of the exact mechanism but I think we are on the right track. Nextra are blocking code red connections at their transparent proxy but something is coming unstuck. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand >>From: Russell Fulton <r.fultonat_private> >>Sender: r.fultonat_private >>To: abuseat_private >>Subject: strange code red segments from 130.67/16 >>Date: Thu, 6 Sep 2001 16:40:50 +1200 (NZST) >>Priority: NORMAL >>X-Mailer: Simeon for Solaris Motif Version 4.1.5 Build (43) >>X-Authentication: IMSP >> >>Greetings, >> I have observed a stream of ACK packets (with no SYN) coming >>from various addresses in 130.67. All of these packets appear to >>contain nearly identical payload being part of (2nd packet ?) of the >>code red stream. >> >>I am wondering if you have something (a proxy ?) that is blocking the >>SYN and first packet (that contains the url) but is allowing the latter >>packets out? Yes, we do block outgoing code red attacks using transparent proxies. But I cannot explain why only the first packet is blocked. The proxies should of course operate on a session level and not on a packet level. At the momemt the only explanation I can think of is a failure of our redirecting equipment. I will have to look further into that. It does not sound good.. Thanks for your report. Bjørn Mork Nextra ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 15:17:31 PDT