Re: Help - Port 80 being targeted
From: x y (jamescagney90210@excite.com)Date: 07/04/02
- Next message: Nick: "Re: Help - Port 80 being targeted"
- Previous message: Tore Lund: "Re: How safe is Java script?"
- In reply to: Nick: "Help - Port 80 being targeted"
- Next in thread: Nick: "Re: Help - Port 80 being targeted"
- Reply: Nick: "Re: Help - Port 80 being targeted"
- Reply: rooks mahn: "Re: Help - Port 80 being targeted"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <jamescagney90210@excite.com> Date: Thu, 4 Jul 2002 08:30:08 -0400
W2k and XP pro has a limit of only 10 concurrent connections with no way to
expand that, short of upgrading to w2k server or using another webserver
such as apache.
What you're seeing could possibly be a nimda or code red worm scanning your
system, or something similar. To find out, check your web logs to see what
URL if any that IP address is passing. I don't think there's anything you
can do to 100% guarantee that one computer does not take up all 10 of your
connections [you could double-check this in the IIS MMC in the section on
bandwidth throttling and performance], but you can attempt to keep a worm
from doing this. Here are some things you could try:
- Install IISlockdown from microsoft.com/security or microsoft.com/download
as it includes URLscan [probably won't help but is a very good idea for
security]
- Run blackice in Paranoid mode. I understand that this is the only mode
that actually blocks all of the incoming requests. Other modes let at least
the first request through.
- Follow the security checklist at www.microsoft.com/security for securing
IIS, especially the parts about deleting unnecessary files. I think some
IIS worm scans may look for the existence of a certain file, and if that
file is found, it may send a dozen more URLs / connection requests to your
server even if it has been patched and is not vulnerable. The first URL or
first few URLs in an attack as shown in your web logs might be the file that
the worm is first looking for.
- check your IIS logs, determine which worm if any is targeting your system,
then search google.com to find out exactly how the worm begins the scan of
your server and if there is a way to discourage it from sending dozens of
URLs to your web server. Detailed analyses of nimda and code red are
probably at www.cert.org
"Nick" <nlel@ecosse.net> wrote in message
news:ag1cv4$i8qt7$1@ID-77022.news.dfncis.de...
> Hi;
>
> I have a webserver running on Port 80. The system has BlackIce Defender
> IDS/Firewall and Norton AntiVirus running on it.
>
> I also use the dns2go.com client for name resolution.
>
> Problem;
>
> I use the dns2go.com client connection watcher and spotted this behaviour;
>
> I am occasionally getting multiple HTTP connections to port 80 from the
same
> ip address on different remote ports. The result of this is error "403.2
> Access Denied to many users" when someone tries to access my webserver.
>
> Sometimes there is 5 connections sometimes 10 but usually from a single ip
> address on different remote ports. The only thing I can do is block the
> remote IP address or IP address range and restart the webserver this seems
> to get rid of them and the webserver is accessible again.
>
> What could this be ? I am right in thinking its not normal behaviour (I am
> using XP Pro IIS with all the latest security updates)
>
>
- Next message: Nick: "Re: Help - Port 80 being targeted"
- Previous message: Tore Lund: "Re: How safe is Java script?"
- In reply to: Nick: "Help - Port 80 being targeted"
- Next in thread: Nick: "Re: Help - Port 80 being targeted"
- Reply: Nick: "Re: Help - Port 80 being targeted"
- Reply: rooks mahn: "Re: Help - Port 80 being targeted"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
