RE: Strange IIS behavior,

From: Gürkan Papila (Gurkan.Papila@dol.com.tr)
Date: 11/12/01 

Message-ID: <6F11274B628C564AA0A0D756F1E2C21E03CF22@DOLXCH05.DOL.int>
From: Gürkan Papila <Gurkan.Papila@dol.com.tr>
To: "'kledi@kledi.com'" <kledi@kledi.com>, focus-ms@securityfocus.com
Subject: RE: Strange IIS behavior,
Date: Mon, 12 Nov 2001 17:36:52 +0200

1- Use Microsoft`s new Security Tool Kit.To find out latest patches
2- To define DOS Attacks , capture Network statistics with a Network Monitor
Tool for suspicious requests ...
3- Do Virus Scan on your Server ...

-----Original Message-----
From: Kledi [mailto:kledi@kledi.com]
Sent: 11 Kasım 2001 Pazar 21:25
To: focus-ms@securityfocus.com
Subject: Strange IIS behavior,

Hello,

I am a sysadm for an Internet provider, most of our systems are running
linux, but we have an NT box because some customers require ASP. In the last

couple of days, apparently we are experiencing some DoS attacks, and it
seems
hard to figure out where these come from.

What happens is that IIS keeps running, but port 80 does not remain open any

more. If I restart IIS, with the network cable attached, port 80 will remain

open, and I would be able to connect to it (localy). Another test I did was
I
disabled our internet connection interfaces on the main routers, and
restarted IIS, and it did not stop responding. My suspection is some kind of

a DoS attack, but even looking at all the logs of the connections to our
webserver, I do not see any specific host or network that is connecting to
the server frequently.

Any suggestions?

Best Regards,
Kledi

Quantcast