Re: CodeRed Observations.

From: Andrew Bates (abates@omeganetserv.com)
Date: 03/16/03

  • Next message: Rob Shein: "RE: [unisog] Re: Port 109 Mystery" 
    Date: Sun, 16 Mar 2003 14:11:28 -0700
From: Andrew Bates <abates@omeganetserv.com>
To: Bojan.Zdrnja@LSS.hr

    Some ideas:

    --snip--

    > of all, if it actually works like this (and IE works like stated in article Rob
    > posted), than that means that Windows' TCP/IP *STACK* is really broken.
    > Basically, this has nothing to do with IIS because IIS, as any other service,
    > just binds socket and waits for incoming data. TCP/IP stack is the one that
    > processes all incoming/outgoing traffic and delivers data to the application.
    > Remember that TCP packets are on the transport layer (or host level if you
    > prefer protocol relationships) and that actual HTTP data belongs to the
    > application layer (the OSI model). So, TCP/IP stack on the machine receiving
    > packet like that should send back RST - no way that packet should be processed
    > and delivered to application (if that is the case spoofing becomes extremely
    > easy).
    >

    --snip--

    I'm no NT expert, but couldn't IIS be using raw sockets? If so, this would circumvent the OS IP
    stack and IIS could choose not to follow a standard TCP three way handshake.

    Andrew

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

  • Next message: Rob Shein: "RE: [unisog] Re: Port 109 Mystery"