Re: Attempted DoS attack???

From: Duane Arnold (notme_at_notme.com)
Date: 10/06/04 

Date: Tue, 05 Oct 2004 22:21:33 GMT

"Dee Bee" <db2853@whycertainly.net> wrote in
news:1097001013.890658@mail1.segnet.com:

> Perhaps someone can help me understand what I'm seeing. and if there's
> anything (useful) to do about it.
>
> Our company hosts 3 web sites internally. We have BlackIce Server
> running on all 3 boxes. On all 3 servers I have blocked address
> ranges for foreign ISP's, educational institutions, some large
> corporations, etc. (this happens to work for us due to the unusual
> nature of our business). All told, approximately 10% of all possible
> IP addresses are blocked.
>
> There is a certain level of "background noise" that I get on all 3
> servers. For example, 1 to 3 "TCP_Probe_HTTP" events get logged each
> day, from obviously random IP addresses, due to the fact that those
> particular IP addresses are blocked. So far, so good.
>
> However, on just 1 of the 3 servers, we get occasional "storms" of
> these events. 2 or 3 per minute. Again, I'm only aware of them
> because they are coming from blocked (spoofed, I'm sure) addresses.
> Yet if you extrapolate that to include the addresses I don't block, I
> could be getting 20-30 per minute, and perhaps 1,800 per hour total.
> This will happen around the clock for a few days, then (just a
> suddenly as it started) it goes away. back down to the "background
> noise" level again.
>
> Is this an attempted DoS attack? It doesn't seem to actually cause a
> denial of service for our users. I haven't been able to determine if
> it is slowing down access to that site, however.
>
> The fact that I get this on only one of the 3 servers leads me to
> believe that this is intentional, and directed at that web site. Is
> there anything I can do to track down the source?
>
> Thanks!
>
>
>

Maybe, you should have a border device like a FW appliance that you can
set rules to block the IP(s) at the border, instead of doing it at the
machine level with the O/S and BI having to react to the attacks.

I'll assume you have BI's Logging enabled and are using something like
VisualIce (free) to review the logs.

You may also want to use IPsec if these are Win 2K or Win 2K3 servers to
supplement BI. BI will also report the actions of IPsec.

http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
http://www.analogx.com/contents/articles/ipsec.htm

Maybe, you can start with the BI logs in your quest to track things down.

Duane :)

Relevant Pages

  • NLB server 2003 content maintenance?
    ... The easiest solution was to NLB the web servers and make ... app that will replicate files in real time one direction, ... >We're planning to have a dozen or so web sites (lots of ... >imagine we would have a back-end machine with the web ...
    (microsoft.public.windows.server.clustering)
  • Re: Major Internet Attack Under Way (IIS hit; Apache/SWS on VMS immune)
    ... Major Web Attack May Steal Financial Data ... IT administrators are being warned to double check their servers, ... major corporate Web sites and infected thousands of users' computers. ... that the breakins and server infections are related to the ...
    (comp.os.vms)
  • Re: Slow Down
    ... There are plenty of other news servers in other ... couldn't possibly keep track of and block access to them all. ... that to mean access to web sites. ... posession of pornography based on interception of his downloads. ...
    (soc.culture.thai)
  • Re: Slow Down
    ... There are plenty of other news servers in other ... anonymous internet is a thing of the past IMO. ... couldn't possibly keep track of and block access to them all. ... that to mean access to web sites. ...
    (soc.culture.thai)
  • Re: Problem with IPSEC
    ... The problem is not a DNS one because I can do the ... Make a rule in IPSEC for a domain nytimes.com. ... I have tried other web sites too and couldn't connect with the IPSEC ... yes ipsec filters are weighted such that a specific rule overrides ...
    (microsoft.public.windows.server.security)