RE: Excessively large URI attacks

Got Packets?

Donald.Smith@xxxxxxxxx GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC
kill -13 111/2 

> -----Original Message-----
> From: intrusions-bounces@xxxxxxxxxxxxxx 
> [mailto:intrusions-bounces@xxxxxxxxxxxxxx] On Behalf Of Barry 
> Fitzgerald
> Sent: Thursday, May 06, 2004 7:37 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] Excessively large URI attacks
> 
> 
> That's precisely what I'm seeing.  They aren't breaking 
> anything on my 
> end either, but they're excessively long.  This certainly seems 
> different than the average Webdav attacks we've been seeing, 
> but perhaps 
> it's just an attempt to exploit a generic overflow.  Anyone have any 
> thoughts?
> 
>           -Barry
> 
> Tom Glaab wrote:
> 
> >
> >> Has anyone seen an uptick in attacks using excessively 
> large URIs and
> >> SEARCH strings?
> >
> >
> >
> > No uptick, but I've been seeing them for a few weeks. They 
> don't seem
> > to be breaking anything and there's been no discussion 
> here, so I've 
> > just been watching them.
> >
> > They all look the same: 65.43.212.205 - - 
> [02/May/2004:17:03:21 -0400]
> > "SEARCH 
> > 
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
> x02\xb1\x02\xb1\x02\xb1\x02\xb1\x 
> >
> > 
> 02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1
> > \x02\xb1.....
> >
> >
> > and end with pages of \x90
> >
> > tg.
> >
> >
> >
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions@xxxxxxxxxxxxxx 
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
> >
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions@xxxxxxxxxxxxxx 
> http://www.dshield.org/mailman/listinfo/intrus> ions
> 
_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions