I now have an explaination for this, see appended message from NEXTRA
who own the addresses where these packets come from.
This still begs the question of the exact mechanism but I think we are
on the right track. Nextra are blocking code red connections at their
transparent proxy but something is coming unstuck.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
>>From: Russell Fulton <r.fulton_at_auckland.ac.nz>
>>Sender: r.fulton_at_auckland.ac.nz
>>To: abuse_at_online.no
>>Subject: strange code red segments from 130.67/16
>>Date: Thu, 6 Sep 2001 16:40:50 +1200 (NZST)
>>Priority: NORMAL
>>X-Mailer: Simeon for Solaris Motif Version 4.1.5 Build (43)
>>X-Authentication: IMSP
>>
>>Greetings,
>> I have observed a stream of ACK packets (with no SYN)
coming
>>from various addresses in 130.67. All of these packets appear to
>>contain nearly identical payload being part of (2nd packet ?) of the
>>code red stream.
>>
>>I am wondering if you have something (a proxy ?) that is blocking the
>>SYN and first packet (that contains the url) but is allowing the
latter
>>packets out?
Yes, we do block outgoing code red attacks using transparent proxies.
But I cannot explain why only the first packet is blocked. The proxies
should of course operate on a session level and not on a packet
level. At the momemt the only explanation I can think of is a failure
of our redirecting equipment. I will have to look further into that. It
does not sound good..
Thanks for your report.
Bjørn Mork
Nextra
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Sep 06 2001
Intro
