RE: CodeRed Observations.

From: Rob Shein (shoten@starpower.net)
Date: 03/17/03

  • Next message: Andrew Bates: "Re: CodeRed Observations." 
    From: "Rob Shein" <shoten@starpower.net>
To: "'Andrew Bates'" <abates@omeganetserv.com>, <Bojan.Zdrnja@LSS.hr>
Date: Sun, 16 Mar 2003 21:08:08 -0500

    From the testing I've just recently done, however, this is not the case.
    Every time, no matter what I do, IE and IIS three-way before any data goes
    anywhere in either direction. Also, another question has come up in my
    mind; if IE can just PSH its request to IIS without handshaking, it can save
    time, sure. But how does it know what kind of webserver it's about to start
    talking to? I don't see how this idea would work, so I'm wondering if there
    are any references besides an anectdotal comment in that blog out there.

    > -----Original Message-----
    > From: Andrew Bates [mailto:abates@omeganetserv.com]
    > Sent: Sunday, March 16, 2003 4:11 PM
    > To: Bojan.Zdrnja@LSS.hr
    > Cc: 'larosa, vjay'; 'Rob McCauley'; 'Rob Shein';
    > incidents@securityfocus.com
    > Subject: Re: CodeRed Observations.
    >
    >
    > Some ideas:
    >
    > --snip--
    >
    > > of all, if it actually works like this (and IE works like stated in
    > > article Rob posted), than that means that Windows' TCP/IP
    > *STACK* is
    > > really broken. Basically, this has nothing to do with IIS
    > because IIS,
    > > as any other service, just binds socket and waits for
    > incoming data.
    > > TCP/IP stack is the one that processes all
    > incoming/outgoing traffic
    > > and delivers data to the application. Remember that TCP
    > packets are on
    > > the transport layer (or host level if you prefer protocol
    > > relationships) and that actual HTTP data belongs to the application
    > > layer (the OSI model). So, TCP/IP stack on the machine receiving
    > > packet like that should send back RST - no way that packet
    > should be
    > > processed and delivered to application (if that is the case
    > spoofing
    > > becomes extremely easy).
    > >
    >
    > --snip--
    >
    > I'm no NT expert, but couldn't IIS be using raw sockets? If
    > so, this would circumvent the OS IP stack and IIS could
    > choose not to follow a standard TCP three way handshake.
    >
    > Andrew
    >

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

  • Next message: Andrew Bates: "Re: CodeRed Observations."