RE: CodeRed Observations.

From: larosa, vjay (larosa_vjayat_private)
Date: Thu Mar 13 2003 - 08:32:17 PST

  • Next message: Matthew Todd: "tcp/25 (smtp) and tcp/24942 (unk)" 

    There are no filters in place for viewing the firewall logs.
Even if there were, the attacks I am seeing are even targeted to
IP addresses that are not up and on-line in my network. So
how would a "get default.ida?XXX" string be sent to a host that 
is,

a) Not up on the network.
b) Behind a firewall that blocks ALL incoming port 80.

If there is no three way handshake to set up a TCP session
I should not see this data trying to flow to my hosts (Dead
IP's or even live IP's). The traffic I am seeing is stateless
(Stick/Snot). 

vjl

-----Original Message-----
From: Rob Shein [mailto:shotenat_private]
Sent: Thursday, March 13, 2003 10:57 AM
To: 'larosa, vjay'; incidentsat_private
Subject: RE: CodeRed Observations.


Check your filters.  You might be looking at traffic through a selection
filter that doesn't show the handshake, so that you can concentrate on the
content that passes back and forth.  That's what I usually find to be the
case when someone makes this kind of observation...

> -----Original Message-----
> From: larosa, vjay [mailto:larosa_vjayat_private] 
> Sent: Wednesday, March 12, 2003 7:48 PM
> To: 'incidentsat_private'
> Subject: FW: CodeRed Observations.
> 
> 
> > Hello,
> > 
> > I have been watching this recent spike in CodeRed activity and one 
> > thing I am noticing is the lack of TCP session establishment. I am 
> > seeing common get strings like this showing
> > up at my firewalls without ever establishing a TCP three 
> way handshake. I
> > have seen several
> > hundred packets with in the last two days similar to this 
> at my firewalls.
> > 
> > 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET 
> /default.ida 3F 
> > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  
> ?XXXXXXXXXXXXXXX 58 58 
> > 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX 
> 58 58 58 
> > 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX 58 
> 58 58 58 
> > 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
> > 
> Snip------------------------------------------------------------------
> > ----
> > ------------------------------------------------------
> > 
> > I find it awfully strange that there is no handshake (not even a 
> > single SYN to try and establish a session) but these 
> packets show up 
> > anyway. I also am not seeing an increase of port 80
> > scans in my firewall logs or with any of my IDS sensors. Is 
> anybody else
> > out there seeing the 
> > same things we are?
> > 
> > Thanks!
> > 
> > vjl
> > 
> > V.Jay LaRosa                           EMC Corporation
> > Information Security                  4400 Computer Dr.
> > (508)898-7433 office                  Westboro, MA 01580
> > (508)353-1348 cell                     www.emc.com
> > 888-799-9750 pager                   larosa_vjayat_private
> > 
> > 
> > 
> 
> --------------------------------------------------------------
> --------------
> 
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure"> 
> http://www.securityfocus.com/stillsecure </A>
> 
> 

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

    This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 08:46:12 PST