RE: Problems with IIS

[<sk3tch () sk3tch net>]

Have you verified with your developers that no new code updates have
been pushed to production in the last few days?  These symptoms are very
similar to "normal" issues with flaky COM+ components...dllhost eating
CPU and using tons of memory.  Also, if you have 1,000 connections at
any one time, dllhost using that amount of memory is relatively normal
depending on what everyone is doing.
 
In my experience, issues with dllhost spiraling out of control relate to
an application issue most of the time.  In one case, it ended up being
an issue with a database query that a developer had pushed out.  Since
it didn't have adequate paramenters to "control" it - users were pulling
ENTIRE record sets instead of being limited to a smaller subset at a
time.
 
If you're still determined it is an attack, you can try deploying
URLScan for a period of time and then analyzing what it catches.
Alternatively, (as you've already done) comb your IIS logs consistently.

________________________________

From: Marcelo LeĆ£o Caffaro [mailto:leao () employer com br]
Sent: Wed 7/14/2004 6:25 AM
To: webappsec () lists securityfocus com
Subject: Problems with IIS


<snip>
I see in the last 2 days anormally of number visits of site, after check
the
log i see one dificult method of attack, this attack working
with simultaneous connections, if i check the website database, can i
see 30
or 50 querys to website database (ms-sql) , but in log in one second i
have
more than
30 ips, the log not contain know attack string, unicode, or another iis
bug,
the log have the url only....

My dll host stay with 950 mb and i have dllhost error, after reboot, in
one
or 2 seconds after network restart, the process cpu is 100%, i think
this
attack is about many
bot making numerous querys in database to decrease the web
performance....
<snip>