RE: CodeRed Observations.

From: Rob Shein (shotenat_private)
Date: Sun Mar 16 2003 - 18:08:08 PST

Next message: Andrew Bates: "Re: CodeRed Observations."

Previous message: kyleat_private: "RE: unidentified DOS "bad traffic" -- SOLVED"
Next in thread: Christine Kronberg: "RE: CodeRed Observations."
Next in thread: Russell Fulton: "Re: FW: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From the testing I've just recently done, however, this is not the case.
Every time, no matter what I do, IE and IIS three-way before any data goes
anywhere in either direction.  Also, another question has come up in my
mind; if IE can just PSH its request to IIS without handshaking, it can save
time, sure.  But how does it know what kind of webserver it's about to start
talking to?  I don't see how this idea would work, so I'm wondering if there
are any references besides an anectdotal comment in that blog out there.

> -----Original Message-----
> From: Andrew Bates [mailto:abatesat_private] 
> Sent: Sunday, March 16, 2003 4:11 PM
> To: Bojan.Zdrnjaat_private
> Cc: 'larosa, vjay'; 'Rob McCauley'; 'Rob Shein'; 
> incidentsat_private
> Subject: Re: CodeRed Observations.
> 
> 
> Some ideas:
> 
> --snip--
> 
> > of all, if it actually works like this (and IE works like stated in 
> > article Rob posted), than that means that Windows' TCP/IP 
> *STACK* is 
> > really broken. Basically, this has nothing to do with IIS 
> because IIS, 
> > as any other service, just binds socket and waits for 
> incoming data. 
> > TCP/IP stack is the one that processes all 
> incoming/outgoing traffic 
> > and delivers data to the application. Remember that TCP 
> packets are on 
> > the transport layer (or host level if you prefer protocol 
> > relationships) and that actual HTTP data belongs to the application 
> > layer (the OSI model). So, TCP/IP stack on the machine receiving 
> > packet like that should send back RST - no way that packet 
> should be 
> > processed and delivered to application (if that is the case 
> spoofing 
> > becomes extremely easy).
> >
> 
> --snip--
> 
> I'm no NT expert, but couldn't IIS be using raw sockets?  If 
> so, this would circumvent the OS IP stack and IIS could 
> choose not to follow a standard TCP three way handshake.
> 
> Andrew
> 


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Andrew Bates: "Re: CodeRed Observations."
Previous message: kyleat_private: "RE: unidentified DOS "bad traffic" -- SOLVED"
Next in thread: Christine Kronberg: "RE: CodeRed Observations."
Next in thread: Russell Fulton: "Re: FW: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Mar 16 2003 - 21:49:20 PST