Security Incidents mailing list archives

RE: CodeRed Observations.

From: Christine Kronberg <Christine_Kronberg () genua de>
Date: Wed, 19 Mar 2003 16:25:20 +0100 (CET)

On Thu, 13 Mar 2003, larosa, vjay wrote:

This would definately be the answer to my odd traffic.
It is interesting that I have never seen any threads
relating to this on any other news groups. I am going
to find an IIS server somewhere in my network tomorrow
and test this out.


  We have two old IIS boxes in our lab and I checked with those.
  One box is a win2ksp2 with ie5, the other one a winnt4 sp6a
  with ie4. Unfortunately I have currently not a more modern
  equipment to test.
  No additional hotfixes as this is testing-only aera (and
  we were especially interested in the vulnerabilities of
  these systems). :-)
  What we found is:
  - There is alway a three-way tcp handshake at the beginning.
  - There is not necessarily a four-way tcp handshake at the
    end of the data transmission. Neither IIS4 nor IIS5 send
    a FIN (ok sometimes they do, but I have no idea on what
    condition), so IE (4 and 5) send back RST when the user
    clicks on the next link.
  - Checked the same pages and link flows with opera and got
    a nice three-way handshake at the beginning and a nice
    four-way handshake at the end. (Ok, it's an Opera7, so
    probably patched or newer IEs do that now, too. Can anyone
    confirm hat?)
  - Checked IE 4&5 against Apache and got a nice three-way
    handshake at the beginning and a nice four-way handshake
    at the end.

  So something in the communication between IE and IIS is ...
  strange, but not completely broken.

  Using nemesis we sent packets to both IIS with just PSH
  set and an HTTP request (with and without User-Agent) as
  payload. Both answered with an RST. So that looks good to me.

  In the meanwhile below that article about the IE/IIS communication
  I saw a notice stating that this was an observation back in
  1997. That must be around the time of teardrop and land attacks.
  I remember vaguely that there was a service pack which replaced
  a good deal of the tcp/ip stack.

  Have fun,


                                                     Chris.

-- 
GeNUA mbH




----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

RE: CodeRed Observations., (continued)
- - - RE: CodeRed Observations. Rob McCauley (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - RE: CodeRed Observations. Rob Shein (Mar 13)
- RE: CodeRed Observations. larosa, vjay (Mar 13)
  - Re: CodeRed Observations. Þórhallur Hálfdánarson (Mar 14)
  - RE: CodeRed Observations. Christine Kronberg (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 14)
  - RE: CodeRed Observations. Bojan Zdrnja (Mar 16)
    - Re: CodeRed Observations. Andrew Bates (Mar 16)
    - RE: CodeRed Observations. Rob Shein (Mar 16)
  - RE: CodeRed Observations. Christine Kronberg (Mar 19)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. King, Brian (Mar 14)
- RE: CodeRed Observations. larosa, vjay (Mar 16)