Good evening, all,
A customer recently underwent a denial-of-service attack where the many
attacking machines submitted HTTP requests that consisted of nothing but
Ticken <%/%>%:|||:<&%%><<><?>
Plus the usual CR/LF + CR/LF.
Normally one would expect to find GET or POST or HEAD, followed by the
URL, followed by the HTTP/1.0 or /1.1 version, then several lines of
headers, then a blank line to mark the end of the headers, but Ethereal
showed just the above string of bytes.
Apache was returning a 400 message (bad request), but it was getting past
the load-balancer filters.
$ telnet www.unixwiz.net 80
Trying 216.39.106.163...
Connected to www.unixwiz.net.
Escape character is '^]'.
--> Ticken <%/%>%:|||:<&%%><<><?>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>400 Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
<HR>
<ADDRESS>Apache/1.3.31 Server at mvp.unixwiz.net Port 80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.
We're totally at a loss to figure out what this might be about, or what
purpose might have been served by this curious request string. Google has
been no source of joy.
Has anybody seen this before?
Steve
--
Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve@unixwiz.net
------------------------------------------------------------------------------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com
------------------------------------------------------------------------------
