Re: Strange problem with IIS and Denial of Service attack...
From: Larry (nospam_at_home.com)
Date: 07/30/03
- Next message: Denis Garon: "checkpoint, remove fw putkey -opsec possible?"
- Previous message: Larry: "Re: Still Can't Block 135 with Symantec Firewall 2.01."
- In reply to: Justin: "Strange problem with IIS and Denial of Service attack..."
- Next in thread: R Green - WoWsat.com: "Re: Strange problem with IIS and Denial of Service attack..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jul 2003 12:05:19 GMT
What's the IP address? Have you done a whois query to see which
Microsoft server it is talking to to see if there is an update or
patch fix? That's a lot of what you see going on during idle
periods....
Give us the "attacker" IP so we can find out what it is.
On 30 Jul 2003 00:12:02 -0700, justin_edmunds2001@yahoo.co.uk (Justin)
wrote:
>I've got an interesting problem with my webserver.
>
>CURRENT STATE
>Over the last two weeks my website and email server has been down as
>it seems to be attacked by an ICMP Echo Request flood. It always
>originates from a single IP address. The result is my machine is
>totally inaccessible whilst this is occurring.
>
>THE CLINCHER
>However, on investigating I've notice that if I use the server all is
>OK. The network is accessible and email are able to come in.
>If I leave the server for an hour or so, the attacking seems to start.
>As soon as I go back to the server, and open Internet Explorer (not
>just move the mouse as this has no effect) - the attacking will stop
>and the webserver and email services will again be accessible.
>
>CONCLUSION
>So it seems that as soon as IE is accessing the internet my server is
>accessible... Very strange - I seem to have some sort of trojan that
>only kicks in when there is no detected internet activity. Recently, I
>was able to stop the floods by leaving IE on a website (news.com.au)
>that refreshes itself automatically every minute. This is currently
>how I can stop the floods.
>
>* I have a Netgear firewall which only allows in HTTP and SMTP traffic
>for the webserver and Email server.
>* I have put ZoneAlarm on to try and trap the thing going out
>* I've tried a full virus scan with the latest form Norton Antivirus.
>
>Anyone seen this sort of thing before?
>
>Justin
>(Server running Win2k Server and IIS5 and latest hotfixes)
Larry W4CSC
"No, NO, Mr Spock! I said beam me down a WRENCH,
not a WENCH! KIRK OUT!"
- Next message: Denis Garon: "checkpoint, remove fw putkey -opsec possible?"
- Previous message: Larry: "Re: Still Can't Block 135 with Symantec Firewall 2.01."
- In reply to: Justin: "Strange problem with IIS and Denial of Service attack..."
- Next in thread: R Green - WoWsat.com: "Re: Strange problem with IIS and Denial of Service attack..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
