RE: CodeRed Observations.

From: Christine Kronberg (Christine_Kronberg@genua.de)
Date: 03/19/03

  • Next message: Harlan Carvey: "RE: SPM2000$ Rouge Share" 
    Date: Wed, 19 Mar 2003 16:25:20 +0100 (CET)
From: Christine Kronberg <Christine_Kronberg@genua.de>
To: <incidents@securityfocus.com>

    On Thu, 13 Mar 2003, larosa, vjay wrote:

    > This would definately be the answer to my odd traffic.
    > It is interesting that I have never seen any threads
    > relating to this on any other news groups. I am going
    > to find an IIS server somewhere in my network tomorrow
    > and test this out.

      We have two old IIS boxes in our lab and I checked with those.
      One box is a win2ksp2 with ie5, the other one a winnt4 sp6a
      with ie4. Unfortunately I have currently not a more modern
      equipment to test.
      No additional hotfixes as this is testing-only aera (and
      we were especially interested in the vulnerabilities of
      these systems). :-)
      What we found is:
      - There is alway a three-way tcp handshake at the beginning.
      - There is not necessarily a four-way tcp handshake at the
        end of the data transmission. Neither IIS4 nor IIS5 send
        a FIN (ok sometimes they do, but I have no idea on what
        condition), so IE (4 and 5) send back RST when the user
        clicks on the next link.
      - Checked the same pages and link flows with opera and got
        a nice three-way handshake at the beginning and a nice
        four-way handshake at the end. (Ok, it's an Opera7, so
        probably patched or newer IEs do that now, too. Can anyone
        confirm hat?)
      - Checked IE 4&5 against Apache and got a nice three-way
        handshake at the beginning and a nice four-way handshake
        at the end.

      So something in the communication between IE and IIS is ...
      strange, but not completely broken.

      Using nemesis we sent packets to both IIS with just PSH
      set and an HTTP request (with and without User-Agent) as
      payload. Both answered with an RST. So that looks good to me.

      In the meanwhile below that article about the IE/IIS communication
      I saw a notice stating that this was an observation back in
      1997. That must be around the time of teardrop and land attacks.
      I remember vaguely that there was a service pack which replaced
      a good deal of the tcp/ip stack.

      Have fun,

                                                         Chris. 

    -- 
GeNUA mbH
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
  • Next message: Harlan Carvey: "RE: SPM2000$ Rouge Share"