Re: Help me identify this IIS DoS attack

From: Denis Dimick (denis@dimick.net)
Date: 10/17/02


Date: Wed, 16 Oct 2002 16:03:19 -0700 (PDT)
From: Denis Dimick <denis@dimick.net>
To: Alex Boge <alexb@callitechnic.com>


Sounds to me like one of your web sites is the target of a DoS. This would
explain why your other servers are not being effected. It also sounds like
the attacker is using fake IP's while trying to make the attack. This is
explained by the "random" IP's you seeing trying to attach to your server.
There is not a whole lot you can do about this, at least from a network
side. Most of the "tools" cost a lot of money and are not really that good
at stopping this type of attack, IMOA.

 Maybe one of the Windows admins on the list can help out, as maybe there
is some setting to add to the web server to drop the fake connections
before the server runs out of resources to serve-up the web pages.

Sorry, just a Linux/Apache guy..

Denis

On Wed, 16 Oct 2002, Alex Boge wrote:

> First time poster (forgive any etiquette errors).
>
> Situation:
> Got a NT4 server sitting on about 30 public IPs, IIS4 is running small
> websites on each IP as well as POP3/SMTP mail.
>
> As far as I can tell, it's fully patched up. Shavlik HFNetChk tells me I'm
> as current as can be expected. We've never been hit by anything so much
> more than a few dozen CodeRed attempts.
>
> Switched providers recently and suddenly we've been experiencing what I'll
> call DoS attacks against the IIS4 server. The W2K/IIS5 machines on the
> same address block are not affected. I cannot determine what this attack
> is or how to deflect it - other than to manually route to Null0 the source
> IPs.
>
> Observatation:
> I know things are amiss when I start getting calls saying website X is not
> responding - usually those that have an .ASP page as their default page.
>
> Checking TCPView I can see 100s to 1000s of port 80 "ESTABLISHED"
> connections all coming from the same source IP. The connects are usually
> about 10-50 to each IP, port 80, on the machine that hosts a web service.
>
> Checking IIS logs I see NOTHING at all showing up. CPU utilization is
> nothing. Memory usage is nothing. The machine is responsive and all other
> services on the machine work just fine. Bandwidth utilization is nothing.
> Just 1000s of port 80 "ESTABLISHED" connections.
>
> Block the IP and eventually they fall off (or I can close them via
> TCPView). A few hours later I can unblock the IP and the attacks are gone.
> I've had about 15 of these in the last 10 days. All coming from wildly
> random outside sources. I've tried to see what's on the other end of the
> source IPs and the ones that give me something appear to be IIS boxes.
>
> Request:
> Can someone offer me some directions to look to determine what this is and
> what I can do to defeat it? It's amazing to me that for 3 years I've been
> with one provider and NEVER had anything like this and in the 10 days
> since I've switched I'm suddenly flooded. The attacks are not coming from
> within the new providers network - they come from anywhere, US to
> Australia to Europe.
>
> Thanks in advance - I hope I posted in the right way to the right place.
>
> ab
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: DOS ATTACK
    ... Subject: DOS ATTACK ... server which I guess is your problem. ... block traffic based on referrer. ...
    (Incidents)
  • RE: Help me identify this IIS DoS attack
    ... If you can see that connection is ... just sit on your server until they timeout. ... simple flood attack. ... > This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • PHP and remote execution
    ... not been fix that allows execution of code on the hosting server. ... he installed a DoS client and initiated 2 DoS ... so this clued us in that it was a rather local attack. ... was not launched via an interactive web script. ...
    (Security-Basics)
  • RE: PHP and remote execution
    ... not been fix that allows execution of code on the hosting server. ... he installed a DoS client and initiated 2 DoS ... so this clued us in that it was a rather local attack. ... prospectus based upon the core principle concepts of security. ...
    (Security-Basics)
  • [NT] Web Browsers Vulnerable to the Extended HTML Form Attack
    ... inject HTML scripts, which makes use of the same method described in the ... The Original HTML form attack: ... server 7 open ...
    (Securiteam)