Security Incidents mailing list archives
RE: CodeRed Observations.
From: "Rob Shein" <shoten () starpower net>
Date: Sun, 16 Mar 2003 21:08:08 -0500
From the testing I've just recently done, however, this is not the case.
Every time, no matter what I do, IE and IIS three-way before any data goes anywhere in either direction. Also, another question has come up in my mind; if IE can just PSH its request to IIS without handshaking, it can save time, sure. But how does it know what kind of webserver it's about to start talking to? I don't see how this idea would work, so I'm wondering if there are any references besides an anectdotal comment in that blog out there.
-----Original Message----- From: Andrew Bates [mailto:abates () omeganetserv com] Sent: Sunday, March 16, 2003 4:11 PM To: Bojan.Zdrnja () LSS hr Cc: 'larosa, vjay'; 'Rob McCauley'; 'Rob Shein'; incidents () securityfocus com Subject: Re: CodeRed Observations. Some ideas: --snip--of all, if it actually works like this (and IE works like stated in article Rob posted), than that means that Windows' TCP/IP*STACK* isreally broken. Basically, this has nothing to do with IISbecause IIS,as any other service, just binds socket and waits forincoming data.TCP/IP stack is the one that processes allincoming/outgoing trafficand delivers data to the application. Remember that TCPpackets are onthe transport layer (or host level if you prefer protocol relationships) and that actual HTTP data belongs to the application layer (the OSI model). So, TCP/IP stack on the machine receiving packet like that should send back RST - no way that packetshould beprocessed and delivered to application (if that is the casespoofingbecomes extremely easy).--snip-- I'm no NT expert, but couldn't IIS be using raw sockets? If so, this would circumvent the OS IP stack and IIS could choose not to follow a standard TCP three way handshake. Andrew
---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- RE: CodeRed Observations., (continued)
- RE: CodeRed Observations. Michał Rogala (Mar 13)
- RE: CodeRed Observations. Rob McCauley (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
- RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
- Re: CodeRed Observations. Þórhallur Hálfdánarson (Mar 14)
- RE: CodeRed Observations. Christine Kronberg (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 14)
- RE: CodeRed Observations. Bojan Zdrnja (Mar 16)
- Re: CodeRed Observations. Andrew Bates (Mar 16)
- RE: CodeRed Observations. Rob Shein (Mar 16)
- RE: CodeRed Observations. Bojan Zdrnja (Mar 16)
- RE: CodeRed Observations. Christine Kronberg (Mar 19)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 16)