Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Odd Apache/MSIE issue with downloads from ISC

Published: 2009-10-14
Last Updated: 2009-10-14 15:05:43 UTC
by Johannes Ullrich (Version: 1)
15 comment(s)

This diary is a bit unusual in that the problem here is very close to home, the ISC/DShield website. But I figure among all of our readers, there may be one who can help. I have seen others describing the same issue, but so far I haven't found a solution.

The problem:

Users who download our log submission client using Internet Explorer frequently receive truncated files. Firefox appears to download them fine. In either case, the server logs a "200" status and the file size in our Apache access log is correct (about 2.2 MBytes). However, the users only receives 200-300kBytes. A packet capture confirms that only 200-300kBytes got transfered. As MSIE starts the download, it does display the correct file size (and the content-length header is correct)

Some of the issues we excluded:

mod_security, firewall, IPS

Also note that the downloads work fine with Firefox, so the server is perfectly capable of sending the file. Any help is appreciated.

Link to the file: http://isc.sans.org/clients/cvtwin-setup.exe

Here is a packet dump of the end of the connection:

IP client.54436 > server.80: Flags [.], ack 193105, win 32850, length 0
IP server.80 > client.54436: Flags [.], ack 646, win 1783, length 1460
IP client.54436 > server.80: Flags [.], ack 196025, win 32850, length 0
IP server.80 > client.54436: Flags [.], ack 646, win 1783, length 1460
IP server.80 > client.54436: Flags [FP.], seq 215005:216465, ack 646, win 1783, length 1460
IP client.54436 > server.80: Flags [.], ack 198945, win 32120, length 0
IP client.54436 > server.80: Flags [.], ack 200405, win 32850, length 0
IP client.54436 > server.80: Flags [.], ack 203325, win 32850, length 0
IP client.54436 > server.80: Flags [.], ack 207705, win 32850, length 0
IP client.54436 > server.80: Flags [.], ack 210625, win 32850, length 0
IP client.54436 > server.80: Flags [.], ack 212085, win 32120, length 0
IP client.54436 > server.80: Flags [.], ack 213545, win 32850, length 0
IP client.54436 > server.80: Flags [.], ack 216466, win 32120, length 0
IP client.54436 > server.80: Flags [F.], seq 646, ack 216466, win 32850, length 0
IP server.80 > client.54436: Flags [.], ack 647, win 1783, length 0

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: apache MSIE
15 comment(s)
Join us at SANS! Attend Intrusion Detection In-Depth with Johannes Ullrich in Online starting Oct 11 2021
Top of page
Diary Archives