Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Nimda type attacks with broken GETs

From: Stephen Samuel <samuel () bcgreen com>
Date: Mon, 13 May 2002 22:38:02 -0700
This may have already been mentioned on this list (I'm not
subscribed, but I've had this list suggested for this).

I've just noticed a Nimda-type attack where the 'get' line
is broken up into two parts (presumably an attempt to
confuse packet filters and IDSs).
Given that this type of split of a 'get' line seems to be rather rare,
I think that people depending on packet filters to help stop/identify
this type of attack can probably add this to their list of bad packets.

a sample of such a session is included (tethereal print below, and the
raw tcpdump file attached).

  1   0.000000 202.144.239.139 -> 210.45.202.98 TCP 4962 > http [SYN] Seq=1175453624 Ack=0 Win=16384 Len=0
  2   2.907647 202.144.239.139 -> 210.45.202.98 TCP 4962 > http [SYN] Seq=1175453624 Ack=0 Win=16384 Len=0
  3   2.935290 210.45.202.98 -> 202.144.239.139 TCP http > 4962 [SYN, ACK] Seq=886147005 Ack=1175453625 Win=8192 Len=0
  4   2.935572 202.144.239.139 -> 210.45.202.98 TCP 4962 > http [ACK] Seq=1175453625 Ack=886147006 Win=17520 Len=0
  5   2.935779 202.144.239.139 -> 210.45.202.98 HTTP GET
  6   2.937518 202.144.239.139 -> 210.45.202.98 HTTP Continuation
  7   3.027385 210.45.202.98 -> 202.144.239.139 TCP http > 4962 [ACK] Seq=886147006 Ack=1175453629 Win=8188 Len=0
  8   3.029238 202.144.239.139 -> 210.45.202.98 HTTP Continuation
  9   3.030202 202.144.239.139 -> 210.45.202.98 HTTP Continuation
 10   3.134727 210.45.202.98 -> 202.144.239.139 TCP http > 4962 [ACK] Seq=886147006 Ack=1175455089 Win=8192 Len=0
 11   3.334389 210.45.202.98 -> 202.144.239.139 TCP http > 4962 [ACK] Seq=886147006 Ack=1175457664 Win=5617 Len=0

packet 5 only contains the string  'GET'.
  packets 6,8 and 9 contain the actual payload (get string).

--
Stephen Samuel +1(604)876-0426                samuel () bcgreen com
                   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: