RE: CodeRed Observations.

From: larosa, vjay (larosa_vjayat_private)
Date: Thu Mar 13 2003 - 18:18:05 PST

Next message: Alain Fauconnet: "Re: unidentified DOS "bad traffic""

Previous message: Ţórhallur Hálfdánarson: "Re: CodeRed Observations."
Next in thread: Bojan Zdrnja: "RE: CodeRed Observations."
Next in thread: King, Brian: "RE: CodeRed Observations."
Next in thread: Russell Fulton: "Re: FW: CodeRed Observations."
Reply: Bojan Zdrnja: "RE: CodeRed Observations."
Reply: Christine Kronberg: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This would definately be the answer to my odd traffic.
It is interesting that I have never seen any threads
relating to this on any other news groups. I am going 
to find an IIS server somewhere in my network tomorrow 
and test this out. 

On a side note, if IIS does answer to connections
with out established sessions couldn't IDS systems that track state
be fooled into ignoring some attacks? If I had the stateless
option turned on in my IDS to ignore stick/snot type attacks
I never would have discovered any of this traffic. Food for thought.

vjl

-----Original Message-----
From: Rob McCauley [mailto:robmccauat_private]
Sent: Thursday, March 13, 2003 1:36 PM
To: Rob Shein
Cc: 'larosa, vjay'; incidentsat_private
Subject: RE: CodeRed Observations.

On Thu, 13 Mar 2003, Rob Shein wrote:

> I'd be careful and make sure, if I were you.  I don't think that the worm
is
> stateless, as it wouldn't be able to spread if it just sent data over TCP
> without establishing the handshake first.  When you just PSH without
> handshaking first, your data gets rejected.

A claim has been made that IE, IIS, and at least some flavors of Windows 
don't work like that.  http://grotto11.com/blog/?+1039831658.  I don't
have time to verify the claim, but if it's true a worm spreading without
the expected TCP handshake might well be possible.

Rob

-- 
----------------------------------------------------------------------------
--
Rob McCauley
Radiation Oncology
Duke University Medical Center

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure">
http://www.securityfocus.com/stillsecure </A>

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Alain Fauconnet: "Re: unidentified DOS "bad traffic""
Previous message: Ţórhallur Hálfdánarson: "Re: CodeRed Observations."
Next in thread: Bojan Zdrnja: "RE: CodeRed Observations."
Next in thread: King, Brian: "RE: CodeRed Observations."
Next in thread: Russell Fulton: "Re: FW: CodeRed Observations."
Reply: Bojan Zdrnja: "RE: CodeRed Observations."
Reply: Christine Kronberg: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 14 2003 - 09:23:12 PST