Re: W2K IIS under attack

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 08/05/03 

Date: Tue, 5 Aug 2003 13:38:13 -0700

Denial of Service is not necessarily the traffic jam. Denial of Service is
inability to get from point A to point B when you want to do so. It can be
due to a traffic jam between points A and B. A traffic jam can be caused by
too many cars, an accident, a car broken down, etc.

So, until you know what is going on, I wouldn't speculate that it's an
undiscovered security hole. For example, you may have a vulnerable resource
which consumes memory, or you have script code which allows cross-site
scripting attacks, etc.

You should be able to run IISState (tool from IIS Resource Kit) if this is
readily reproducible for additional assistance on what element of the server
is being taxed.

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en 

-- 
//David
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Sam" <samwang68@hotmail.com> wrote in message
news:018301c35b7b$3fc66ee0$a401280a@phx.gbl...
Thank you all for the help.
After a few days monitoring, the DoS attacks came from
different IPs; mainly from the US. True, it is possible
that they are even fake IPs. At least, just be glad the
suggested Sygate Firewall gets the job done.
But I am still thinking IIS has a undiscoverd security
hole. If DoS attack just functions as the traffic jam,
then IIS will be back online after the DoS stops -- no
more traffic jam. Instead, IIS totally crashes. You have
to restart it; either the IIS service or the server.
Afterall, I have greatly benefited from the experts from
this group. Thank you all for helping me holding my line,
even though still weak while facing "Demand of Service"
from my wife.
Sam