> Hello, > > I have been watching this recent spike in CodeRed activity and one thing I > am noticing > is the lack of TCP session establishment. I am seeing common get strings > like this showing > up at my firewalls without ever establishing a TCP three way handshake. I > have seen several > hundred packets with in the last two days similar to this at my firewalls. > > 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida > 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX > Snip---------------------------------------------------------------------- > ------------------------------------------------------ > > I find it awfully strange that there is no handshake (not even a single > SYN to try and establish > a session) but these packets show up anyway. I also am not seeing an > increase of port 80 > scans in my firewall logs or with any of my IDS sensors. Is anybody else > out there seeing the > same things we are? > > Thanks! > > vjl > > V.Jay LaRosa EMC Corporation > Information Security 4400 Computer Dr. > (508)898-7433 office Westboro, MA 01580 > (508)353-1348 cell www.emc.com > 888-799-9750 pager larosa_vjayat_private > > > ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 07:52:16 PST