Security Incidents mailing list archives

"Ticken" web attacks?

From: Steve Friedl <steve () unixwiz net>
Date: Wed, 15 Nov 2006 19:03:32 -0800

Good evening, all,

A customer recently underwent a denial-of-service attack where the many
attacking machines submitted HTTP requests that consisted of nothing but

        Ticken <%/%>%:|||:<&%%><<><?>

Plus the usual CR/LF + CR/LF.

Normally one would expect to find GET or POST or HEAD, followed by the
URL, followed by the HTTP/1.0 or /1.1 version, then several lines of
headers, then a blank line to mark the end of the headers, but Ethereal
showed just the above string of bytes.

Apache was returning a 400 message (bad request), but it was getting past
the load-balancer filters.

        $ telnet www.unixwiz.net 80
        Trying 216.39.106.163...
        Connected to www.unixwiz.net.
        Escape character is '^]'.
-->     Ticken <%/%>%:|||:<&%%><<><?>
        <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
        <HTML><HEAD>
        <TITLE>400 Bad Request</TITLE>
        </HEAD><BODY>
        <H1>Bad Request</H1>
        Your browser sent a request that this server could not understand.<P>
        <HR>
        <ADDRESS>Apache/1.3.31 Server at mvp.unixwiz.net Port 80</ADDRESS>
        </BODY></HTML>
        Connection closed by foreign host.

We're totally at a loss to figure out what this might be about, or what
purpose might have been served by this curious request string. Google has
been no source of joy.

Has anybody seen this before?

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve () unixwiz net

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------

Current thread:

"Ticken" web attacks? Steve Friedl (Nov 16)
- RE: "Ticken" web attacks? James C. Slora Jr. (Nov 23)
- <Possible follow-ups>
- Re: "Ticken" web attacks? bucklerk (Nov 17)
- Re: Re: "Ticken" web attacks? bucklerk (Nov 18)
  - Re: Re: "Ticken" web attacks? Dude VanWinkle (Nov 20)
  - Re: Re: "Ticken" web attacks? K.M. Jeary (Nov 20)
    - Re: "Ticken" web attacks? Radu Oprisan (Nov 20)
    - Re: "Ticken" web attacks? Valdis . Kletnieks (Nov 20)