"Ticken" web attacks? Nov 16 2006 03:03AM
Steve Friedl (steve unixwiz net) (1 replies)
Good evening, all,

A customer recently underwent a denial-of-service attack where the many
attacking machines submitted HTTP requests that consisted of nothing but

Ticken <%/%>%:|||:<&%%><<><?>

Plus the usual CR/LF + CR/LF.

Normally one would expect to find GET or POST or HEAD, followed by the
URL, followed by the HTTP/1.0 or /1.1 version, then several lines of
headers, then a blank line to mark the end of the headers, but Ethereal
showed just the above string of bytes.

Apache was returning a 400 message (bad request), but it was getting past
the load-balancer filters.

$ telnet 80
Connected to
Escape character is '^]'.
--> Ticken <%/%>%:|||:<&%%><<><?>
<TITLE>400 Bad Request</TITLE>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
<ADDRESS>Apache/1.3.31 Server at Port 80</ADDRESS>
Connection closed by foreign host.

We're totally at a loss to figure out what this might be about, or what
purpose might have been served by this curious request string. Google has
been no source of joy.

Has anybody seen this before?


Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 | Tustin, Calif. USA | Microsoft MVP | steve (at) unixwiz (dot) net [email concealed]

This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

[ reply ]
RE: "Ticken" web attacks? Nov 22 2006 12:34AM
James C. Slora Jr. (james slora phra com)


Privacy Statement
Copyright 2010, SecurityFocus