Some of the systems respond to a ping, none respond to any HTTP requests. It doesn't mean that they are not firewalled from incoming traffic though. vjl -----Original Message----- From: Rob Shein [mailto:shotenat_private] Sent: Thursday, March 13, 2003 12:13 PM To: 'larosa, vjay'; incidentsat_private Subject: RE: CodeRed Observations. Ok, here's another thought...is the IP address that the traffic apparently originates from actually accessible, and is it running a vulnerable IIS? I would think that if someone wanted to hide an attack, they'd hide amidst a huge amount of varied attack noise, rather than something so homogenous (and expected) as this. > -----Original Message----- > From: larosa, vjay [mailto:larosa_vjayat_private] > Sent: Thursday, March 13, 2003 11:59 AM > To: 'Rob Shein'; larosa, vjay; incidentsat_private > Subject: RE: CodeRed Observations. > > > Hi Rob, > > I'm not saying that the worm is stateless. I am saying that > the traffic I am seeing at my border firewalls (codered > strings) are not part of established sessions (stateless). I > was just trying > to figure out if this had something to do with the new > outbreak, or if > somebody is trying to trick me in to ignoring packets they > don't want me to see, so they are throwing a stateless attack > at me to hopefully hide the real attack under the guise of > CodeRed. Call me crazy but paranoia is my middle name. > > vjl > > > -----Original Message----- > From: Rob Shein [mailto:shotenat_private] > Sent: Thursday, March 13, 2003 11:50 AM > To: 'larosa, vjay'; incidentsat_private > Subject: RE: CodeRed Observations. > > > I'd be careful and make sure, if I were you. I don't think > that the worm is stateless, as it wouldn't be able to spread > if it just sent data over TCP without establishing the > handshake first. When you just PSH without handshaking > first, your data gets rejected. > > > -----Original Message----- > > From: larosa, vjay [mailto:larosa_vjayat_private] > > Sent: Thursday, March 13, 2003 11:32 AM > > To: 'Rob Shein'; larosa, vjay; incidentsat_private > > Subject: RE: CodeRed Observations. > > > > > > There are no filters in place for viewing the firewall logs. > > Even if there were, the attacks I am seeing are even targeted > > to IP addresses that are not up and on-line in my network. So > > how would a "get default.ida?XXX" string be sent to a host that > > is, > > > > a) Not up on the network. > > b) Behind a firewall that blocks ALL incoming port 80. > > > > If there is no three way handshake to set up a TCP session > > I should not see this data trying to flow to my hosts (Dead > > IP's or even live IP's). The traffic I am seeing is stateless > > (Stick/Snot). > > > > vjl > > > > -----Original Message----- > > From: Rob Shein [mailto:shotenat_private] > > Sent: Thursday, March 13, 2003 10:57 AM > > To: 'larosa, vjay'; incidentsat_private > > Subject: RE: CodeRed Observations. > > > > > > Check your filters. You might be looking at traffic through > > a selection filter that doesn't show the handshake, so that > > you can concentrate on the content that passes back and > > forth. That's what I usually find to be the case when > > someone makes this kind of observation... > > > > > -----Original Message----- > > > From: larosa, vjay [mailto:larosa_vjayat_private] > > > Sent: Wednesday, March 12, 2003 7:48 PM > > > To: 'incidentsat_private' > > > Subject: FW: CodeRed Observations. > > > > > > > > > > Hello, > > > > > > > > I have been watching this recent spike in CodeRed > activity and one > > > > thing I am noticing is the lack of TCP session > > establishment. I am > > > > seeing common get strings like this showing > > > > up at my firewalls without ever establishing a TCP three > > > way handshake. I > > > > have seen several > > > > hundred packets with in the last two days similar to this > > > at my firewalls. > > > > > > > > 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET > > > /default.ida 3F > > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 > > > ?XXXXXXXXXXXXXXX 58 58 > > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX > > > 58 58 58 > > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 > > > 58 58 58 > > > > 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX > > > > > > > > > > Snip------------------------------------------------------------------ > > > > ---- > > > > ------------------------------------------------------ > > > > > > > > I find it awfully strange that there is no handshake > (not even a > > > > single SYN to try and establish a session) but these > > > packets show up > > > > anyway. I also am not seeing an increase of port 80 > > > > scans in my firewall logs or with any of my IDS sensors. Is > > > anybody else > > > > out there seeing the > > > > same things we are? > > > > > > > > Thanks! > > > > > > > > vjl > > > > > > > > V.Jay LaRosa EMC Corporation > > > > Information Security 4400 Computer Dr. > > > > (508)898-7433 office Westboro, MA 01580 > > > > (508)353-1348 cell www.emc.com > > > > 888-799-9750 pager larosa_vjayat_private > > > > > > > > > > > > > > > > > > -------------------------------------------------------------- > > > -------------- > > > > > > <Pre>Lose another weekend managing your IDS? > > > Take back your personal time. > > > 15-day free trial of StillSecure Border Guard.</Pre> > > > <A href="http://www.securityfocus.com/stillsecure"> > > > http://www.securityfocus.com/stillsecure </A> > > > > > > > > > ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 10:27:18 PST