> I'd be careful and make sure, if I were you. I don't think that the worm is > stateless, as it wouldn't be able to spread if it just sent data over TCP > without establishing the handshake first. When you just PSH without > handshaking first, your data gets rejected. I had heard that too..that IIS can work without finishing the three way handshake. Could code red II have been the result of lessons learned from slammer? Part of the reason that slammer propagated so quickly is that it didnt have to finish the 3 way handshake (since it used UDP) and could therefore infect more efficiently. Brian ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Fri Mar 14 2003 - 09:52:21 PST