Security Incidents mailing list archives
"Ticken" web attacks?
From: Steve Friedl <steve () unixwiz net>
Date: Wed, 15 Nov 2006 19:03:32 -0800
Good evening, all, A customer recently underwent a denial-of-service attack where the many attacking machines submitted HTTP requests that consisted of nothing but Ticken <%/%>%:|||:<&%%><<><?> Plus the usual CR/LF + CR/LF. Normally one would expect to find GET or POST or HEAD, followed by the URL, followed by the HTTP/1.0 or /1.1 version, then several lines of headers, then a blank line to mark the end of the headers, but Ethereal showed just the above string of bytes. Apache was returning a 400 message (bad request), but it was getting past the load-balancer filters. $ telnet www.unixwiz.net 80 Trying 216.39.106.163... Connected to www.unixwiz.net. Escape character is '^]'. --> Ticken <%/%>%:|||:<&%%><<><?> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>400 Bad Request</TITLE> </HEAD><BODY> <H1>Bad Request</H1> Your browser sent a request that this server could not understand.<P> <HR> <ADDRESS>Apache/1.3.31 Server at mvp.unixwiz.net Port 80</ADDRESS> </BODY></HTML> Connection closed by foreign host. We're totally at a loss to figure out what this might be about, or what purpose might have been served by this curious request string. Google has been no source of joy. Has anybody seen this before? Steve -- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve () unixwiz net ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- "Ticken" web attacks? Steve Friedl (Nov 16)
- RE: "Ticken" web attacks? James C. Slora Jr. (Nov 23)
- <Possible follow-ups>
- Re: "Ticken" web attacks? bucklerk (Nov 17)
- Re: Re: "Ticken" web attacks? bucklerk (Nov 18)
- Re: Re: "Ticken" web attacks? Dude VanWinkle (Nov 20)
- Re: Re: "Ticken" web attacks? K.M. Jeary (Nov 20)
- Re: "Ticken" web attacks? Radu Oprisan (Nov 20)
- Re: "Ticken" web attacks? Valdis . Kletnieks (Nov 20)