RE: Problems with IIS

["Andrew van der Stock" <vanderaj () greebo net>]

Sorry for missing this thread. 

I have been assisting a customer who survived the Kazakhstan / Russian
extortionists, who DDoS'ed my customer's site for days at a time. The
attacks consumed so much bandwidth, it took out all of *Australia* using the
Southern Cross undersea cable for 30 minutes early one morning, and took out
the entire Northern Territory several times in a row. 

There is no technical "solution" to DDoS except geographically distributed
servers, such as Akamai. Even then, it does not always work.

Reducing the battle fleet sizes is very important. FORCING everyone to
automatically patch their boxes, keep anti-virus up to date, and outlawing
the creation of malicious software, zombies and spyware all would help. XP
SP2 default configuration is a step in the right direction here and
definitely part of the solution. 

In the attacks I have seen, there are no real addresses to block as all
packets are spoofed. DDoS "shields" were useless for us, and hides the
information you need to figure out what really happened using real network
IDS like Snort or similar. 

For this reason, I would like to see Cisco, Nortel, and other carrier
equipment providers (DSLAMs, digital modem banks, etc) drop source packet
routing and spoofed source IP addresses. There is no valid reason to route
fake packets. Ever. ISP customers who fake IP packets should be shunted to a
quarantine area for assistance to clean up their PCs.

Work with your ISP to determine if they can shape and ACL your upstream
router, so you don't have to deal with a lot of data coming in. For example,
if you limit syn's to say 40 - 50 a second, and only allow port 80 and 443
inbound, and the rest is blocked by the ISP, you are likely to be able to
survive script kiddie level attacks (10-100 zombies). Most of the zombie
traffic we had in the first two attacks was random UDP traffic on zillions
of ports. This was uselessly sent through and hit the firewalls, which
promptly died under the load. 

Lastly, you may be able to work on null routing your BGP AS outside your own
country. We did this to great effect during the worst attacks. There was
still a background hit from infected zombies from within Australia, but not
enough to take anyone off the air. 

The only true solution is extradition and lengthy jail sentences for the
criminals who launch DDoS attacks proportionate to the damage committed,
including looking at the type of battle fleet the crims are running. For
example, a script kiddie with 100 desktops would get less time than the
organized crime hood who has a battle fleet of 10,000 (or more) compromised
hosts.

If there is an extortion letter, the best bet is to take it to law
enforcement immediately and do not correspond with the criminals until after
you have talked to the police. You are almost certainly not the only one
being targeted. 

If you get stuck, I can put you in contact with the right law enforcement
people for Australia who can direct you to the right people in your area. 

Andrew

> -----Original Message-----
> From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
> Sent: 16 July 2004 09:07
> To: Dinis Cruz
> Subject: RE: Problems with IIS
>
> Huh, I had a question for you then: is there smth new in Windows 2003 and
> / or in IIS 6.0 which will help us to avoid DOS attacks?
>
>
>
> > From: Marcelo Leão Caffaro [mailto:leao () employer com br]
> > Sent: 14 July 2004 11:25
> > To: webappsec () lists securityfocus com
> > Subject: Problems with IIS
> >
> > Hi, i'm a security analyst of a big website, this website work with
> > average 1000 access simultaneous, and my problem is:
> >
> > My server is a IIS5.0 running in Microsoft Windows 2000 Advanced
> > Server...., with 2gb of ram
> >
> > The website work add new curriculum vitae (totally free), search for
> > new jobs oportunities, free, or it the user pay the month plan, the
> > user can see total description of job oportunities. (name of employer,
> > address, etc).
> >
> > The more recent job oportunities are send to vip user .....
> >
> >
> > I see in the last 2 days anormally of number visits of site, after
> > check the log i see one dificult method of attack, this attack working
> > with simultaneous connections, if i check the website database, can i
> > see 30 or 50 querys to website database (ms-sql) , but in log in one
> > second i have more than 30 ips, the log not contain know attack
> > string, unicode, or another iis bug, the log have the url only....
> >
> > My dll host stay with 950 mb and i have dllhost error, after reboot,
> > in one or 2 seconds after network restart, the process cpu is 100%, i
> > think this attack is about many bot making numerous querys in database
> > to decrease the web performance....
> >
> > My question is, how the best way to stop this type of attack?, if a
> > make one session with IP, cookies and reverse dns can i stop this?
> >
> > Anyone can help-me?