Re: New http attack?

From: Tomaz Solc (tomaz.solc_at_siol.net)
Date: 06/08/05

  • Next message: Jason Falciola: "Re: New http attack?"
    Date: Wed, 08 Jun 2005 21:42:24 +0200
    To: "Keith T. Morgan" <keith.morgan@terradon.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi

    I've been seeing this kind of traffic on a number of servers since 30
    May with peak on 2 June (around 100 requests per day). The number of
    requests has been slowly decreasing since (got 4 requests yesterday).

    A colleague first noticed it in his apache logs because of a large
    number of http requests without referrer or user agent headers (other
    than that, apache logs show a normal GET / requests with response 200)

    My first guess was that it is some kind of a worm because the wave of
    requests I've seen came almost exclusively from IPs that are near IPs of
    my servers.

    My google search turned up a few exploits that are using "Authorization:
    Negotiate" header to exploit an old vulnerability in the Microsoft ASN.1
    library (CAN-2003-0818).

    I have a full packet log if anyone is interested.

    Best regards
    Tomaz Solc
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFCp0ogsAlAlRhL9q8RAqCGAJ49vMR+AKPw6LzG181fCpcCp5ruoACeJhjA
    fePddeTwhuM7yKW7ciNKq0k=
    =LldT
    -----END PGP SIGNATURE-----


  • Next message: Jason Falciola: "Re: New http attack?"

    Relevant Pages

    • Re: apache httpd performance
      ... Both servers share same dns server, so I do not think that the DNS can be issue. ... We'd be better off ignoring the Linux results entirely and simply try instead to optimize your FreeBSD performance. ... My big surprise was that CPU: AMD Athlon64 Processor 3200+ can't handle 100 concurrent requests normally e.g. the load on the servers goes very high, and the server does not respond very well during the test. ...
      (freebsd-performance)
    • Re: limiting number of requests of a single hosts
      ... Once or twice a day a DNS burst kills all ... The firewall is due for replacement but in the mean time we would ... Most of our clients however use our AD/LDAP/DNS Microsoft servers as ... this results in a burst of dns requests through our ...
      (comp.protocols.dns.bind)
    • Re: Using external IP/DNS name for accessing internal resources
      ... Is 100.100.100.100 an IP owned by ISA (used for publishing ... When the proxy relays the requests to other servers, ...
      (microsoft.public.isa.publishing)
    • Re: What is this?
      ... >This event is generated when TCP traffic to port 0 is detected. ... This fails on a properly set up firewall. ... accessible DNS servers - one in the DMZ, and two located at our upstream. ... All internal DNS requests go to servers behind the firewall, ...
      (comp.security.firewalls)
    • Re: Memory Manager Tests - using 512 Threads
      ... > In this test, Clients are virtualy flooding the Server with requests, ... > Thread pool in RTC is growing on-demand, ... > long-running requests won't block the rest of the communication. ... > I've set up the Default value to 256, which is what most Web Servers ...
      (borland.public.delphi.thirdpartytools.general)