Security Incidents mailing list archives
RE: Help me identify this IIS DoS attack
From: "Bojan Zdrnja" <Bojan.Zdrnja () FER hr>
Date: Thu, 17 Oct 2002 10:34:25 +0200
-----Original Message----- From: Denis Dimick [mailto:denis () dimick net] Sent: 17. listopad 2002 1:03 To: Alex Boge Cc: incidents () securityfocus com Subject: Re: Help me identify this IIS DoS attack Sounds to me like one of your web sites is the target of a DoS. This would explain why your other servers are not being effected. It also sounds like the attacker is using fake IP's while trying to make the attack. This is explained by the "random" IP's you seeing trying to attach to your server.
I don't think they are using fake IPs. As Alex said, he can see that connections are established. If attacher used fake IPs he would have to spoof entire 3-way handshake which is much more complicated thing to do than simple SYN-flood, in which you usually use faked IPs.
There is not a whole lot you can do about this, at least from a network side. Most of the "tools" cost a lot of money and are not really that good at stopping this type of attack, IMOA.
Smart firewall should stop this after some threshold from single IP is reached.
Maybe one of the Windows admins on the list can help out, as maybe there is some setting to add to the web server to drop the fake connections before the server runs out of resources to serve-up the web pages.
As I said, I think those are legitimate connections. Maybe he can only limit number of connections coming from same IP (which is also not the best thing to do as IP can be proxy which some organization can use). Best regards, Bojan Zdrnja ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Help me identify this IIS DoS attack Alex Boge (Oct 16)
- Re: Help me identify this IIS DoS attack Denis Dimick (Oct 16)
- RE: Help me identify this IIS DoS attack Bojan Zdrnja (Oct 17)
- RE: Help me identify this IIS DoS attack Bojan Zdrnja (Oct 17)
- <Possible follow-ups>
- RE: Help me identify this IIS DoS attack YAO,TONY (HP-NewZealand,ex1) (Oct 17)
- RE: Help me identify this IIS DoS attack Alex Boge (Oct 17)
- RE: Help me identify this IIS DoS attack Alex Boge (Oct 17)
- Re: Help me identify this IIS DoS attack Denis Dimick (Oct 16)