WebApp Sec mailing list archives
RE: Problems with IIS
From: "Andrew van der Stock" <vanderaj () greebo net>
Date: Thu, 12 Aug 2004 02:20:48 +1000
Sorry for missing this thread. I have been assisting a customer who survived the Kazakhstan / Russian extortionists, who DDoS'ed my customer's site for days at a time. The attacks consumed so much bandwidth, it took out all of *Australia* using the Southern Cross undersea cable for 30 minutes early one morning, and took out the entire Northern Territory several times in a row. There is no technical "solution" to DDoS except geographically distributed servers, such as Akamai. Even then, it does not always work. Reducing the battle fleet sizes is very important. FORCING everyone to automatically patch their boxes, keep anti-virus up to date, and outlawing the creation of malicious software, zombies and spyware all would help. XP SP2 default configuration is a step in the right direction here and definitely part of the solution. In the attacks I have seen, there are no real addresses to block as all packets are spoofed. DDoS "shields" were useless for us, and hides the information you need to figure out what really happened using real network IDS like Snort or similar. For this reason, I would like to see Cisco, Nortel, and other carrier equipment providers (DSLAMs, digital modem banks, etc) drop source packet routing and spoofed source IP addresses. There is no valid reason to route fake packets. Ever. ISP customers who fake IP packets should be shunted to a quarantine area for assistance to clean up their PCs. Work with your ISP to determine if they can shape and ACL your upstream router, so you don't have to deal with a lot of data coming in. For example, if you limit syn's to say 40 - 50 a second, and only allow port 80 and 443 inbound, and the rest is blocked by the ISP, you are likely to be able to survive script kiddie level attacks (10-100 zombies). Most of the zombie traffic we had in the first two attacks was random UDP traffic on zillions of ports. This was uselessly sent through and hit the firewalls, which promptly died under the load. Lastly, you may be able to work on null routing your BGP AS outside your own country. We did this to great effect during the worst attacks. There was still a background hit from infected zombies from within Australia, but not enough to take anyone off the air. The only true solution is extradition and lengthy jail sentences for the criminals who launch DDoS attacks proportionate to the damage committed, including looking at the type of battle fleet the crims are running. For example, a script kiddie with 100 desktops would get less time than the organized crime hood who has a battle fleet of 10,000 (or more) compromised hosts. If there is an extortion letter, the best bet is to take it to law enforcement immediately and do not correspond with the criminals until after you have talked to the police. You are almost certainly not the only one being targeted. If you get stuck, I can put you in contact with the right law enforcement people for Australia who can direct you to the right people in your area. Andrew
-----Original Message----- From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] Sent: 16 July 2004 09:07 To: Dinis Cruz Subject: RE: Problems with IIS Huh, I had a question for you then: is there smth new in Windows 2003 and / or in IIS 6.0 which will help us to avoid DOS attacks?From: Marcelo Leão Caffaro [mailto:leao () employer com br] Sent: 14 July 2004 11:25 To: webappsec () lists securityfocus com Subject: Problems with IIS Hi, i'm a security analyst of a big website, this website work with average 1000 access simultaneous, and my problem is: My server is a IIS5.0 running in Microsoft Windows 2000 Advanced Server...., with 2gb of ram The website work add new curriculum vitae (totally free), search for new jobs oportunities, free, or it the user pay the month plan, the user can see total description of job oportunities. (name of employer, address, etc). The more recent job oportunities are send to vip user ..... I see in the last 2 days anormally of number visits of site, after check the log i see one dificult method of attack, this attack working with simultaneous connections, if i check the website database, can i see 30 or 50 querys to website database (ms-sql) , but in log in one second i have more than 30 ips, the log not contain know attack string, unicode, or another iis bug, the log have the url only.... My dll host stay with 950 mb and i have dllhost error, after reboot, in one or 2 seconds after network restart, the process cpu is 100%, i think this attack is about many bot making numerous querys in database to decrease the web performance.... My question is, how the best way to stop this type of attack?, if a make one session with IP, cookies and reverse dns can i stop this? Anyone can help-me?
Current thread:
- Re: Problems with IIS, (continued)
- Re: Problems with IIS Mark Burnett (Jul 14)
- .NET custom Textbox control Arian J. Evans (Jul 16)
- Re: Problems with IIS Roshen Chandran (Jul 15)
- Re: Problems with IIS Roshen Chandran (Jul 15)
- RE: Problems with IIS Dinis Cruz (Jul 15)
- RE: Problems with IIS Frank Knobbe (Jul 16)
- RE: Problems with IIS sk3tch (Jul 14)
- RE: Problems with IIS Marcelo Villalón Mendez (Jul 15)
- RE: Problems with IIS Stan Guzik (Jul 16)
- RE: Problems with IIS Dinis Cruz (Aug 11)
- RE: Problems with IIS Andrew van der Stock (Aug 11)
- Re: Problems with IIS Mark Burnett (Jul 14)