Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CodeRed Observations.

From: Andrew Bates <abates () omeganetserv com>
Date: Sun, 16 Mar 2003 14:11:28 -0700
Some ideas:

--snip--


of all, if it actually works like this (and IE works like stated in article Rob
posted), than that means that Windows' TCP/IP *STACK* is really broken.
Basically, this has nothing to do with IIS because IIS, as any other service,
just binds socket and waits for incoming data. TCP/IP stack is the one that
processes all incoming/outgoing traffic and delivers data to the application.
Remember that TCP packets are on the transport layer (or host level if you
prefer protocol relationships) and that actual HTTP data belongs to the
application layer (the OSI model). So, TCP/IP stack on the machine receiving
packet like that should send back RST - no way that packet should be processed
and delivered to application (if that is the case spoofing becomes extremely
easy).



--snip--

I'm no NT expert, but couldn't IIS be using raw sockets?  If so, this would circumvent the OS IP
stack and IIS could choose not to follow a standard TCP three way handshake.

Andrew


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Previous By Date Next
Previous By Thread Next

Current thread: