Re: IIS 5 on Win2k - protecting from DoS and other vulnerabilities

From: Jeff Cochran (jcochran.nospam@naplesgov.com)
Date: 01/27/03


From: jcochran.nospam@naplesgov.com (Jeff Cochran)
Date: Mon, 27 Jan 2003 16:35:19 GMT


> I am a newbie in the scurity realm. I have a secure site that is hosted
>on IIS and uses client side certificates for access to the site. And,
>further forms based authentication on getting access to the site to use the
>site functionality.
>
>I want to know how significant is the treat of DoS attacks are in a secure
>(SSL) based site that uses client side certificates for access. Also, other
>issues/ vulnerablilites that I need to watch out for.
>
>I also have a non secure site hosted on the same server as the secure site.
>Does this increase the level of threat and am I better of moving the sites
>onto separate servers.

None of this affects the traditional DoS and DDoS attacks, which rely
on simply there being a network connection, IIS and web sites aren't
involved.

To protect against DoS attacks requires a firewall that understands
them and drops the requests. Even so, your link could get overloaded
if there are enough of them.

Mercifully, if you're not a government web site, news organization or
other high profile site you're likely not a target either. Unless you
piss off some hacker wannabes like I once did... :)

Jeff



Relevant Pages

  • Re: security header is not present in the incoming message
    ... One certificate "Client Private.pfx" to Certificates - Current User, Personal, Certificates. ... One certificate "Server Private.pfx" to Certificates - Current User, Other People, Certificates and the third one "Server Public.cer" to Certificates, Personal, Certificates. ... And this goes for services run in IIS och in ASP.NET Development Server. ...
    (microsoft.public.dotnet.security)
  • Re: How to make IIS 6.0 to accept client certificates issued by any CA
    ... Using client certs sets up a SSL/TLS session and the way that works is by IIS sending a list of accepted CAs to the client, and the browser then shows the user a list of acceptable certs and the user selects one. ... accept client certificates issued by any CA (including certificates issued by ...
    (microsoft.public.inetserver.iis)
  • Re: W2K certtificate server problem
    ... But as soon as I set IIS to require client certificates the> client receives a 403 error. ... > standalone Root CA. > ...
    (microsoft.public.inetserver.iis.security)
  • W2K certtificate server problem
    ... Clients are able to securely connect to the IIS server when client ... But as soon as I set IIS to require client certificates the ... standalone Root CA. (certificate states that its used to Guarantee ...
    (microsoft.public.inetserver.iis.security)
  • IIS 5 on Win2k - protecting from DoS and other vulnerabilities
    ... on IIS and uses client side certificates for access to the site. ... I also have a non secure site hosted on the same server as the secure site. ... onto separate servers. ...
    (microsoft.public.inetserver.iis.security)