RE: CodeRed Observations.
From: Christine Kronberg (Christine_Kronberg@genua.de)
Date: Wed, 19 Mar 2003 16:25:20 +0100 (CET) From: Christine Kronberg <Christine_Kronberg@genua.de> To: <firstname.lastname@example.org>
On Thu, 13 Mar 2003, larosa, vjay wrote:
> This would definately be the answer to my odd traffic.
> It is interesting that I have never seen any threads
> relating to this on any other news groups. I am going
> to find an IIS server somewhere in my network tomorrow
> and test this out.
We have two old IIS boxes in our lab and I checked with those.
One box is a win2ksp2 with ie5, the other one a winnt4 sp6a
with ie4. Unfortunately I have currently not a more modern
equipment to test.
No additional hotfixes as this is testing-only aera (and
we were especially interested in the vulnerabilities of
these systems). :-)
What we found is:
- There is alway a three-way tcp handshake at the beginning.
- There is not necessarily a four-way tcp handshake at the
end of the data transmission. Neither IIS4 nor IIS5 send
a FIN (ok sometimes they do, but I have no idea on what
condition), so IE (4 and 5) send back RST when the user
clicks on the next link.
- Checked the same pages and link flows with opera and got
a nice three-way handshake at the beginning and a nice
four-way handshake at the end. (Ok, it's an Opera7, so
probably patched or newer IEs do that now, too. Can anyone
- Checked IE 4&5 against Apache and got a nice three-way
handshake at the beginning and a nice four-way handshake
at the end.
So something in the communication between IE and IIS is ...
strange, but not completely broken.
Using nemesis we sent packets to both IIS with just PSH
set and an HTTP request (with and without User-Agent) as
payload. Both answered with an RST. So that looks good to me.
In the meanwhile below that article about the IE/IIS communication
I saw a notice stating that this was an observation back in
1997. That must be around the time of teardrop and land attacks.
I remember vaguely that there was a service pack which replaced
a good deal of the tcp/ip stack.
-- GeNUA mbH ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>