the probability of sources IPs being spoofed is very low, because in order to send a request to your IIS server, they had to establish a TCP connection, and this is a bit tricky thing to do when you try to spoof the source IP (not on unpatched NT, though :) ) regards, Vitaly. myrddin_eat_private wrote: > > Understood, and thanks for the detailed information. That is what I was > trying to learn! > > Any one have an opinion as to the likelihood of the originating address > not being spoofed? I counted four unique addresses that used the system > for ping attacks over the course of 20 days. > > DISCLAIMER: NO, this was not my server. YES, I do know that the patch for > Unicode was released with bulletin MS00-057. YES, I did read the FAQ before > posting. Geez guys, take pill. > > At Tue, 10 Jul 2001 13:05:45 -0400 (EDT), Jordan K Wiens <jwiensat_private> > wrote: > > > > >No, a 502 error is a bad gateway error; what happens is that your iis > >server is unpatched against the unicde exploits (one of them, at least) > >and > >is executing the command to ping a host. Just recently there seems > >to be > >an increase in the number of hackers using vulnerable web servers for > >ddos > >like behavior using over-sized pings. > > > >When the ping command executes, it runs the pings, however, it (obviously) > >does not return complete html headers as its output (since ping was > >never > >meant to run via the web, its not supposed to run like a normal web > >executable). IIS notices this, and realizes that the script hasn't > >correctly executed, and lets you know with the 502 error. If you actually > >look at the page, the results would read something like: "502 error; > >the > >application has not returned correct headers. The headers it did return > >are:" and then IIS would procede to show the output of whatever had > >been > >shown. > > > >The error you want to see once a machine has been fully patched is usually > >a 404 error. > > > >-- > >Jordan Wiens > >UF Network Incident Response Team > >(352)392-2061 > Free, encrypted, secure Web-based email at www.hushmail.com > > ------------------------------------------------------------------------ > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 15:54:15 PDT