|
Security Incidents
mailing list archives
Re: "Worm" behavior -- port 80 honey pots
From: Alexander Bochmann <securityfocus-incidents () freinet de>
Date: Mon, 22 Oct 2001 18:30:19 +0200
...on Mon, Oct 15, 2001 at 03:08:39PM -0600, Ryan Russell wrote:
1) Sometimes the honey pot will send an IDENT request to the remote
system. At least one of the 'worms' in circulation recently will
immediately drop the port 80 connection when the IDENT probe is sent
I used to have this problem with firewalled mail servers. If one of the
mail servers was configured to do ident lookups, and there was a firewall
that just dropped ident attempts (no RST), then the mail servers would sit
around for 2-5 minutes until the ident TCP connect timed out. Only then
would the mail connection deliver any data. This could be related, and
Don't think so; this is default behaviour with sendmail, at least.
Sendmail has a configurable timeout for ident lookups, and will
wait for an answer until the timeout expires. Default from
sendmail distribution is 30 seconds, but possible some vendors
use a higher value. Don't know about other MTAs.
Alex.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
