In the past week or so I have seen a tremendous increase in unsafe methods used in WWW traffic to my webservers. I have seen TRACE, SEARCH and PROPFIND being used during these attacks. My IDS logs would usually only show a TRACE method against a webserver about once a month, where now I'm seeing something on the order of 150-200 a day per server instance.

I started research on this a while back, when I first saw a couple of TRACE methods used against my webservers and found that it was most likely linked to Cross-site Tracking (XST) attacks, but so far I have found little to nothing regarding this style of attack. Whitehat Security had a write up about it in PCMag and they seemed to have had a white paper about it at some point, but then a few people in the security community, most notably Thor Larholm, came out hard against them saying that they had not discovered anything new and that it was all FUD they were spreading anyway. So my research in to how these attacks work has been very limited.

Now as far as I can tell my webservers aren't accepting these methods. We are running Sun ONE 6.1 and I checked the obj.conf file for anything regarding those three methods. They are not listed anywhere in there, and the only thing that my servers seem to be responding to are GET, POST and HEAD. Now doing the tests that Sun recommends to verify if these methods are indeed not being serviced yielded something other than spectacular results. Doing the telnet TRACE method on the localhost should result in:

HTTP/1.1 405 Method Not Allowed
Server: Sun-ONE-Web-Server/6.1

instead what I get is:

HTTP/1.1 error timeout
Server: Sun-ONE-Web-Server/6.1

not exactly that I wanted to see so I'm still not sure if these webservers are not processing these methods or if the request is just taking too long. Also keep in mind that there are up to 8 instances of these webservers running on each machine I'm testing and only some of them have access to the docs dir in the first place so it could be that I'm just hitting up against the wrong instances for this test.

I guess what I'm asking for here is for someone to point me in the correct direction to:

1. Learn how these style attacks really work
2. What I have to do to defend against them
3. What I can do to REALLY verify that my servers are not vulnerable to these types of attacks.

Considering the nature of these attacks I know that some people will not want to respond in a public forum like this with whitepaper information that can show how to perform these attacks, so if you feel this way just drop me a PM... I'll even take basic information regarding these attacks. Oh and before you ask, yes I Googled it and no I didn't find any satisfactory results doing that.