RE: CodeRed Observations.

From: Christine Kronberg (Christine_Kronbergat_private)
Date: Wed Mar 19 2003 - 07:25:20 PST

Next message: Harlan Carvey: "RE: SPM2000$ Rouge Share"

Previous message: Robinson, Jonathon: "RE: SPM2000$ Rouge Share"
In reply to: larosa, vjay: "RE: CodeRed Observations."
Next in thread: King, Brian: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 13 Mar 2003, larosa, vjay wrote:

> This would definately be the answer to my odd traffic.
> It is interesting that I have never seen any threads
> relating to this on any other news groups. I am going
> to find an IIS server somewhere in my network tomorrow
> and test this out.

  We have two old IIS boxes in our lab and I checked with those.
  One box is a win2ksp2 with ie5, the other one a winnt4 sp6a
  with ie4. Unfortunately I have currently not a more modern
  equipment to test.
  No additional hotfixes as this is testing-only aera (and
  we were especially interested in the vulnerabilities of
  these systems). :-)
  What we found is:
  - There is alway a three-way tcp handshake at the beginning.
  - There is not necessarily a four-way tcp handshake at the
    end of the data transmission. Neither IIS4 nor IIS5 send
    a FIN (ok sometimes they do, but I have no idea on what
    condition), so IE (4 and 5) send back RST when the user
    clicks on the next link.
  - Checked the same pages and link flows with opera and got
    a nice three-way handshake at the beginning and a nice
    four-way handshake at the end. (Ok, it's an Opera7, so
    probably patched or newer IEs do that now, too. Can anyone
    confirm hat?)
  - Checked IE 4&5 against Apache and got a nice three-way
    handshake at the beginning and a nice four-way handshake
    at the end.

  So something in the communication between IE and IIS is ...
  strange, but not completely broken.

  Using nemesis we sent packets to both IIS with just PSH
  set and an HTTP request (with and without User-Agent) as
  payload. Both answered with an RST. So that looks good to me.

  In the meanwhile below that article about the IE/IIS communication
  I saw a notice stating that this was an observation back in
  1997. That must be around the time of teardrop and land attacks.
  I remember vaguely that there was a service pack which replaced
  a good deal of the tcp/ip stack.

  Have fun,

                                                     Chris.

-- 
GeNUA mbH

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Harlan Carvey: "RE: SPM2000$ Rouge Share"
Previous message: Robinson, Jonathon: "RE: SPM2000$ Rouge Share"
In reply to: larosa, vjay: "RE: CodeRed Observations."
Next in thread: King, Brian: "RE: CodeRed Observations."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 13:04:11 PST