Code Red HELP!!!!
Michael H. Warfield
Thu, 9 Aug 2001 15:19:55 -0400
On Thu, Aug 09, 2001 at 12:55:52AM -0500, S. Shore wrote:
> On Wed, 8 Aug 2001, Ian Jones wrote:
> > > > iptables -I INPUT -i eth0 -p tcp --tcp-flags ACK ACK --dport 80 \
> > > > -m string --string '/default.ida?' -j REJECT --reject-with tcp-reset
> > > This would have the unfortunate side effect of leaving your web server
> > > with a bunch of hung connections, as the other end will appear to have
> > > disappeared.
> > Uhhh...no. The remote end gets RST which is the end of that, and conntrack
> > knows that is has sent an abortive close. No hung connections.
> The remote end is closed, conntrack has dropped the connection. Too bad
> nobody has told the webserver that the connection died. The server has a
> full-open connection with no traffic pending, so it's going to sit there
> waiting for awhile.
Too bad we can't reverse that. If you leave the remote end
thinking that it's connected but no data is comming, the CodeRed thread
hangs forever, taking one of it's scanning threads out of commission.
There's a couple of "sniffer/spoofing" utilities out to do this now
including Rob Graham's "deredoc".
> Scottie Shore <email@example.com>
> "Experience is that marvelous thing that enables you to recognize
> a mistake when you make it again." -- F. P. Jones
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!