Security Incidents mailing list archives

RE: CodeRed Observations.

From: "Rob Shein" <shoten () starpower net>
Date: Sun, 16 Mar 2003 21:08:08 -0500

From the testing I've just recently done, however, this is not the case.

Every time, no matter what I do, IE and IIS three-way before any data goes
anywhere in either direction.  Also, another question has come up in my
mind; if IE can just PSH its request to IIS without handshaking, it can save
time, sure.  But how does it know what kind of webserver it's about to start
talking to?  I don't see how this idea would work, so I'm wondering if there
are any references besides an anectdotal comment in that blog out there.

-----Original Message-----
From: Andrew Bates [mailto:abates () omeganetserv com] 
Sent: Sunday, March 16, 2003 4:11 PM
To: Bojan.Zdrnja () LSS hr
Cc: 'larosa, vjay'; 'Rob McCauley'; 'Rob Shein'; 
incidents () securityfocus com
Subject: Re: CodeRed Observations.


Some ideas:

--snip--

of all, if it actually works like this (and IE works like stated in 
article Rob posted), than that means that Windows' TCP/IP

*STACK* is

really broken. Basically, this has nothing to do with IIS

because IIS,

as any other service, just binds socket and waits for

incoming data.

TCP/IP stack is the one that processes all

incoming/outgoing traffic

and delivers data to the application. Remember that TCP

packets are on

the transport layer (or host level if you prefer protocol 
relationships) and that actual HTTP data belongs to the application 
layer (the OSI model). So, TCP/IP stack on the machine receiving 
packet like that should send back RST - no way that packet

should be

processed and delivered to application (if that is the case

spoofing

becomes extremely easy).


--snip--

I'm no NT expert, but couldn't IIS be using raw sockets?  If 
so, this would circumvent the OS IP stack and IIS could 
choose not to follow a standard TCP three way handshake.

Andrew



----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

RE: CodeRed Observations., (continued)
- - - RE: CodeRed Observations. Michał Rogala (Mar 13)
    - RE: CodeRed Observations. Rob McCauley (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - Re: CodeRed Observations. Þórhallur Hálfdánarson (Mar 14)
  - RE: CodeRed Observations. Christine Kronberg (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 14)
  - RE: CodeRed Observations. Bojan Zdrnja (Mar 16)
    - Re: CodeRed Observations. Andrew Bates (Mar 16)
    - RE: CodeRed Observations. Rob Shein (Mar 16)
  - RE: CodeRed Observations. Christine Kronberg (Mar 19)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 16)