Re: CodeRed Observations.

From: Ţórhallur Hálfdánarson (tolliat_private)
Date: Thu Mar 13 2003 - 15:22:54 PST

Next message: larosa, vjay: "RE: CodeRed Observations."

Previous message: David Gillett: "RE: unidentified DOS "bad traffic""
In reply to: larosa, vjay: "RE: CodeRed Observations."
Next in thread: Christine Kronberg: "RE: CodeRed Observations."
Next in thread: larosa, vjay: "RE: CodeRed Observations."
Next in thread: Russell Fulton: "Re: FW: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

When you notice these packets, are there *never* SYN packets?

I'm thinking: firewall at other end blocking only SYN outbound (quite unlikely if you're getting it by hundreds, but, hey, one never knows :)


Regards,
Tolli

-*- larosa, vjay <larosa_vjayat_private> [ 2003-03-13 18:28 ]:
> Some of the systems respond to a ping, none respond to
> any HTTP requests. It doesn't mean that they are not 
> firewalled from incoming traffic though. 
> 
> vjl
> 
> -----Original Message-----
> From: Rob Shein [mailto:shotenat_private]
> Sent: Thursday, March 13, 2003 12:13 PM
> To: 'larosa, vjay'; incidentsat_private
> Subject: RE: CodeRed Observations.
> 
> 
> Ok, here's another thought...is the IP address that the traffic apparently
> originates from actually accessible, and is it running a vulnerable IIS?  I
> would think that if someone wanted to hide an attack, they'd hide amidst a
> huge amount of varied attack noise, rather than something so homogenous (and
> expected) as this.
> 
> > -----Original Message-----
> > From: larosa, vjay [mailto:larosa_vjayat_private] 
> > Sent: Thursday, March 13, 2003 11:59 AM
> > To: 'Rob Shein'; larosa, vjay; incidentsat_private
> > Subject: RE: CodeRed Observations.
> > 
> > 
> > Hi Rob,
> > 
> > I'm not saying that the worm is stateless. I am saying that 
> > the traffic I am seeing at my border firewalls (codered 
> > strings) are not part of established sessions (stateless). I 
> > was just trying 
> > to figure out if this had something to do with the new 
> > outbreak, or if 
> > somebody is trying to trick me in to ignoring packets they 
> > don't want me to see, so they are throwing a stateless attack 
> > at me to hopefully hide the real attack under the guise of 
> > CodeRed. Call me crazy but paranoia is my middle name.
> > 
> > vjl
> > 
> > 
> > -----Original Message-----
> > From: Rob Shein [mailto:shotenat_private]
> > Sent: Thursday, March 13, 2003 11:50 AM
> > To: 'larosa, vjay'; incidentsat_private
> > Subject: RE: CodeRed Observations.
> > 
> > 
> > I'd be careful and make sure, if I were you.  I don't think 
> > that the worm is stateless, as it wouldn't be able to spread 
> > if it just sent data over TCP without establishing the 
> > handshake first.  When you just PSH without handshaking 
> > first, your data gets rejected.
> > 
> > > -----Original Message-----
> > > From: larosa, vjay [mailto:larosa_vjayat_private]
> > > Sent: Thursday, March 13, 2003 11:32 AM
> > > To: 'Rob Shein'; larosa, vjay; incidentsat_private
> > > Subject: RE: CodeRed Observations.
> > > 
> > > 
> > > There are no filters in place for viewing the firewall logs.
> > > Even if there were, the attacks I am seeing are even targeted 
> > > to IP addresses that are not up and on-line in my network. So 
> > > how would a "get default.ida?XXX" string be sent to a host that 
> > > is,
> > > 
> > > a) Not up on the network.
> > > b) Behind a firewall that blocks ALL incoming port 80.
> > > 
> > > If there is no three way handshake to set up a TCP session
> > > I should not see this data trying to flow to my hosts (Dead
> > > IP's or even live IP's). The traffic I am seeing is stateless 
> > > (Stick/Snot). 
> > > 
> > > vjl
> > > 
> > > -----Original Message-----
> > > From: Rob Shein [mailto:shotenat_private]
> > > Sent: Thursday, March 13, 2003 10:57 AM
> > > To: 'larosa, vjay'; incidentsat_private
> > > Subject: RE: CodeRed Observations.
> > > 
> > > 
> > > Check your filters.  You might be looking at traffic through
> > > a selection filter that doesn't show the handshake, so that 
> > > you can concentrate on the content that passes back and 
> > > forth.  That's what I usually find to be the case when 
> > > someone makes this kind of observation...
> > > 
> > > > -----Original Message-----
> > > > From: larosa, vjay [mailto:larosa_vjayat_private]
> > > > Sent: Wednesday, March 12, 2003 7:48 PM
> > > > To: 'incidentsat_private'
> > > > Subject: FW: CodeRed Observations.
> > > > 
> > > > 
> > > > > Hello,
> > > > > 
> > > > > I have been watching this recent spike in CodeRed 
> > activity and one 
> > > > > thing I am noticing is the lack of TCP session
> > > establishment. I am
> > > > > seeing common get strings like this showing
> > > > > up at my firewalls without ever establishing a TCP three
> > > > way handshake. I
> > > > > have seen several
> > > > > hundred packets with in the last two days similar to this
> > > > at my firewalls.
> > > > > 
> > > > > 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET
> > > > /default.ida 3F
> > > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58
> > > > ?XXXXXXXXXXXXXXX 58 58
> > > > > 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
> > > > 58 58 58
> > > > > 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX 58
> > > > 58 58 58
> > > > > 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
> > > > > 
> > > > 
> > > 
> > Snip------------------------------------------------------------------
> > > > > ----
> > > > > ------------------------------------------------------
> > > > > 
> > > > > I find it awfully strange that there is no handshake 
> > (not even a 
> > > > > single SYN to try and establish a session) but these
> > > > packets show up
> > > > > anyway. I also am not seeing an increase of port 80
> > > > > scans in my firewall logs or with any of my IDS sensors. Is
> > > > anybody else
> > > > > out there seeing the
> > > > > same things we are?
> > > > > 
> > > > > Thanks!
> > > > > 
> > > > > vjl
> > > > > 
> > > > > V.Jay LaRosa                           EMC Corporation
> > > > > Information Security                  4400 Computer Dr.
> > > > > (508)898-7433 office                  Westboro, MA 01580
> > > > > (508)353-1348 cell                     www.emc.com
> > > > > 888-799-9750 pager                   larosa_vjayat_private
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > > --------------------------------------------------------------
> > > > --------------
> > > > 
> > > > <Pre>Lose another weekend managing your IDS?
> > > > Take back your personal time.
> > > > 15-day free trial of StillSecure Border Guard.</Pre>
> > > > <A href="http://www.securityfocus.com/stillsecure">
> > > > http://www.securityfocus.com/stillsecure </A>
> > > > 
> > > > 
> > > 
> > 
> 
> ----------------------------------------------------------------------------
> 
> <Pre>Lose another weekend managing your IDS?
> Take back your personal time.
> 15-day free trial of StillSecure Border Guard.</Pre>
> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
> 

-- 
Kveđja,
Tolli
tolliat_private

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: larosa, vjay: "RE: CodeRed Observations."
Previous message: David Gillett: "RE: unidentified DOS "bad traffic""
In reply to: larosa, vjay: "RE: CodeRed Observations."
Next in thread: Christine Kronberg: "RE: CodeRed Observations."
Next in thread: larosa, vjay: "RE: CodeRed Observations."
Next in thread: Russell Fulton: "Re: FW: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 14 2003 - 09:18:20 PST