Help - Port 80 being targeted

From: Nick (nlel@ecosse.net)
Date: 07/04/02


From: "Nick" <nlel@ecosse.net>
Date: Thu, 4 Jul 2002 12:52:54 +0100

Hi;

I have a webserver running on Port 80. The system has BlackIce Defender
IDS/Firewall and Norton AntiVirus running on it.

I also use the dns2go.com client for name resolution.

Problem;

I use the dns2go.com client connection watcher and spotted this behaviour;

I am occasionally getting multiple HTTP connections to port 80 from the same
ip address on different remote ports. The result of this is error "403.2
Access Denied to many users" when someone tries to access my webserver.

Sometimes there is 5 connections sometimes 10 but usually from a single ip
address on different remote ports. The only thing I can do is block the
remote IP address or IP address range and restart the webserver this seems
to get rid of them and the webserver is accessible again.

What could this be ? I am right in thinking its not normal behaviour (I am
using XP Pro IIS with all the latest security updates)